Posted on July 31, 2022 at 9:12 PM
CISA Says Hackers Are Exploiting Known Confluence Vulnerability
The U.S. Cybersecurity and Infrastructure Agency (CISA) has added a critical vulnerability to its catalog based on evidence of active exploitation.
According to the agency, the vulnerability, tracked as CVE-2022-26138, is linked to the use of hard-coded credentials funds in the data center and confluence server. The CISA noted that the vulnerability can give remote attackers the ability to hand code credentials after successful exploitation.
Last week, an Australian software company Atlassian revealed that hackers can take advantage of an unpatched version of the Questions for Confluence app and create an account for hardcoded credentials. The Confluence app is installed by over 8,000 users which gives them a massive window of opportunity to carry out their exploitation.
CISA Urges Admins To Update Their Server
After successfully providing a fix for the vulnerability, the firm informed admins to update their servers as soon as possible. The firm informed admins that the hardcoded password is already seen and shared online and that only patched or updated servers will be safe from such exploitation.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” Atlassian stated. The security firm added that hackers are capable of using hardcoded credentials to log into vulnerable Data centers and Confluence Server to carry out their attacks.
This comes as cybersecurity firm Rapid7 published a report, warning that the vulnerability will be actively exploited in the wild. However, no information was provided on the attacks or how threat actors were able to infiltrate the server.
Rapid7 realized the exploitation as soon as the hardcoded credentials were released. This is due to the high value of Confluence for attackers who usually take advantage f the bugs in Confluence to carry out their ransomware attacks.
Agencies Secure Their Systems Against Attacks
Following the revelation by the CISA, federal agencies are now securing their servers against attacks. The CISA issued a binding operational directive last November. As expected, the Federal Civilian Executive Branch Agencies (FCEB) have also added more security layers to the servers.
The CISA has also given federal agencies three weeks to secure their servers and provide the necessary patch to prevent attacks on their networks. The agency is responsible for ensuring the security of servers by providing accurate and important intelligence reports on imminent cyberattacks. The agency does a lot more to help other institutions fight the activities of threat actors effectively.
The agency recently issued a security BOD 22-01 directive, which is only applicable to US federal agencies. CISA has also advised organizations across the country to update their servers immediately to avoid becoming a victim of these cyberattacks.
The agency added that the recent vulnerability discovery shows that threat actors are always looking for loopholes that will enable them to strike and launch attacks on the targeted system.
CISA has added hundreds of security vulnerabilities to its catalog since the directive was issued. After each discovery, the agency informs other federal agencies and orders them to patch the leakage to prevent being exploited.
More Threat Actors Are Targeting Confluence Servers
Threat actors always see Confluence servers as targets, which makes it very important to secure them. This has been demonstrated in the past through the Cerber2021 and AvosLocker ransomware. They have also been exploited using crypto miners and Linux botnet malware. The CISA says the attack that could result from the vulnerability exposure could be real and catastrophic. However, the only assurance is the fact that, unlike other stubborn malware features, a simple update on the server could cut off these security threats.
CISA also warned about a new zero-day vulnerability seen by tech giant Microsoft in its Windows products. The agency pointed out that patches have already been provided. However, users need to update their systems to avoid being victims due to the vulnerability.
At the time CISA updated its vulnerability catalog and included the zero-day discovered by Microsoft’s security researchers. The flaw, labeled CVE-2022-22047 affects CSRSS and an elevation privilege vulnerability. CISA has urged agencies and organizations to regularly check its website for more information about any vulnerability and how to protect servers.