Initially when the Confluence Server Vulnerability was discovered, it was thought to be an internal threat only. A simple search in your favorite search engine will show that Atlassian Confluence Server Breaches are happening at an alarming rate. US Cybercom sent out the following tweet on Friday, the 3rd of September.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.”
If you are unsure if you have a Confluence Server, don’t just email your IT Team, go and check. If you work remote, make a phone call and get the right person on the line who can verify if you are one of the companies who has a vulnerability that is exposed.
Additionally, make sure that your IT team and the leadership of your IT Team are plugged in to the correct information sources to get the most current bulletins on critical cyber security issues as they are discovered. Sign up for the LIFARS SMS Alert System to receive critical alerts on cyber security issues. this is not used as a sales tool, and you don’t even need to enter your name. It is for critical security messaging only.
LIFARS has responded to breach cases of Confluence Servers and can confirm there are active external threats that have used the known Atlassian Confluence vulnerability to access the Confluence Server. We have seen multiple instances of this attack from multiple companies. In their Confluence Service Advisory Notice released August 25th, 2021 Atlassian categorized the issue as a “critical severity security vulnerability” that was discovered in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
“In affected versions of Confluence Server and Data Centers, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the NIST reports in its description of the vulnerability, which it rates as a 9.8 out of 10 on the critical scale. The NIST bulletin and advisory can be found at CVE-2021-26084
There are varying estimates on the number of servers potentially vulnerable, and to this point the breaches have been through on-premises servers only. If you have Confluence Servers as a part of your system and have not applied the known fix through the patch, we recommend you switch over to your back up server and get the Confluence Server Offline ASAP for investigation.
LIFARS is an Incident Response and Digital Forensic Investigation company based in New York City taking care of clients across the United States, and across The World. With extensive
Digital Forensic Investigation experience, LIFARS helps clients of all sizes and revenue streams who find themselves mired in cyber incidents.