John Leyden 09 June 2022 at 15:18 UTC

APTs hammering unpatched vulnerabilities

Chinese state-sponsored attackers are placing a heavy reliance on known but commonly unpatched vulnerabilities to “establish a broad network of compromised infrastructure”, a US federal security agency warns.

While previously unknown (zero-day) vulnerabilities and novel exploits usually grab the most headlines, a joint advisory from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warns that attacking “publicly known” flaws has become a mainstay of Chinese cyber-espionage.

**Hit list**

The advisory offers a list of network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

Flaws in small business-focused routers, SSL VPNs, and Network Attached Storage (NAS) devices from the likes of Cisco, Fortinet, Netgear and QNAP feature heavily on the list.

Some of the main attacks in play can achieve remote code execution (RCE) against unpatched systems while others achieve their aims by achieving authentication bypass or privilege elevation.

Catch up on the latest cyber-attack news and analysis

Chinese state-backed attackers are using publicly available exploit codes against virtual private network (VPN) services or public facing applications to hack into major telecommunications companies and network service providers, creating a platform for follow-up attacks.

Hacked systems “serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities”, according to the CISA’s advisory, which builds on previous US intel agency reporting.

By building a network of compromised systems that act as a platform for follow-up assaults, Chinese APTs are hiding or obfuscating the source of attacks, making detection and response more challenging.

Industry experts said that CISA’s latest advisory is designed to hammer home the importance of prompt patching.

**Slow patching peril**

Andrew Kahl, CEO of BackBox, commented: “Last month CISA released a joint advisory (PDF) that recommended prioritizing the patching of software containing known vulnerabilities.

“These two advisories within a month of each other indicates threat actors are increasingly targeting known vulnerabilities, because they understand many organizations are slow to implement patches.”

Kahl added: “One of the most common vectors for attackers is through known vulnerabilities that otherwise could have been patched. In fact, 87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability.”

**Hiding in plain sight**

Terry Olaes, director of sales engineering at Skybox, said that CISA’s alert pointed towards a need to adapt enterprise vulnerability remediation strategies to provide better coverage for less severe but actively exploited vulnerabilities.

Prompt triage would help organizations to protect themselves against attacks from a wide range of potential adversaries.

“Cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates,” Olaes said.

“If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS).”

Olaes concluded: “Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.”

RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks

Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.
The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.

The issue — referenced as **DogWalk** — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted ".diagcab" archive file that contains a diagnostics configuration file.

The idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases.

DogWalk was originally disclosed by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.

"There are a number of file types that can execute code in such a way but aren't technically 'executables,'" the tech giant said at the time. "And a number of these are considered unsafe for users to download/receive in email, even '.diagcab' is blocked by default in Outlook on the web and other places."

While all files downloaded and received via email include a Mark-of-the-Web (MOTW) tag that's used to determine their origin and trigger an appropriate security response, 0patch's Mitja Kolsek noted that the MSDT application is not designed to check this flag and hence allows the .diagcab file to be opened without warning.

"Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or mis-click) in the browser's downloads list to have it opened," Kolsek said.

"No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing \[the\] attacker's code."

The patches and the renewed interest in the zero-day bug follow active exploitation of the "Follina" remote code execution vulnerability by leveraging malware-laced Word documents that abuse the "ms-msdt:" protocol URI scheme.

According to enterprise security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is being weaponized by a threat actor tracked as TA570 to deliver the QBot (aka Qakbot) information-stealing trojan.

"Actor uses thread hijacked messages with HTML attachments which, if opened, drop a ZIP archive," the company said in a series of tweets detailing the phishing attacks.

"Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start QBot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot."

QBot has also been employed by initial access brokers to gain initial access to target networks, enabling ransomware affiliates to abuse the foothold to deploy file-encrypting malware.

The DFIR Report, earlier this year, also documented how QBot infections move at a rapid pace, enabling the malware to harvest browser data and Outlook emails a mere 30 minutes after initial access and propagate the payload to an adjacent workstation around the 50-minute mark.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

Through the Wire is a proof of concept exploit for CVE-2022-26134, an OGNL injection vulnerability affecting Atlassian Confluence Server and Data Center versions 7.13.6 LTS and below and versions 7.18.0 "Latest" and below. This was originally a zero-day exploited in-the-wild.

Through The Wire CVE-2022-26134 Confluence Proof Of Concept

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.

Researchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a blog post published last week.

The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that’s been spreading rapidly, and subsequently reported the flaw to Atlassian. As observed by Volexity researchers, what’s being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) webshell to be written into a publicly accessible web directory on Confluence software.

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

Atlassian released a security advisory the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue a warning of its own about the flaw.

A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it’s also strongly recommending that customers update as soon as they can. If that’s not possible, the company provided in the advisory what it stressed is a “temporary” workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.

**Threat Escalation**

In the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.

“CVE-2022-26134 is about as bad as it gets,” observed Naveen Sunkavalley, chief architect of security firm Horizon3.ai, in an email to Threatpost.  Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.

Moreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host  against a number of Confluence versions—including the latest unpatched version, 7.18.0, according to tests that Horion3.ai has conducted, Sunkavaley said.

Indeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm GreyNoise tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris tweeted again that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.

****Potential for a SolarWinds 2.0?****

Sunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.

“Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,” Sunkavalley said.

What’s more, the vulnerability is a source-code issue, and attacks at this level “are some of the most effective and long reaching attacks on the IT ecosystem,” observed Garret Grajek,  CEO of security firm YouAttest.

The now-infamous Solarwinds supply-chain attack that started in December 2020 and extended well into 2021 was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.

“By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,” Grajek said.

For this reason, it’s “imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,” he asserted.

Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw

We take a look at the upcoming Microsoft Autopatch feature to help make updates a breeze for network admins.
The post Microsoft Autopatch is here…but can you use it? appeared first on Malwarebytes Labs.

Updating endpoints on a network can be a daunting task. Testing before rollout can take time. Delays to patches going live can cause all manner of headaches. Windows Autopatch aims to tackle some of these issues, and is now live for public preview. The release comes with a few caveats which you’ll want to keep in mind.

**Fixing a patchy experience**

First announced in April and slated for general release come July, Windows Autopatch is designed to free stressed sysadmins from some of the heavy lifting around updates. Billed as a managed service available to (some) users of Microsoft products, the software giant had this to say about it:

> The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end. Business needs change in response to market shifts.
> 
> This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. For organizations who select this option, the second Tuesday of every month will be ‘just another Tuesday’.

This automated patching setup is complemented by four so-called “testing rings”. This is a way to divide up all of an organisation’s devices in a manner which allows for efficient testing and updating. The smallest ring is the initial “test ring”, which has an unspecified minimum number of devices. It’s followed by the “first”, “fast”, and “broad” rings which comprise 1%, 9% and 90% of devices under management respectively.

Assuming all is well after a validation period in one of the rings, the updates filter out to the next ring for more testing. All the while, performance is monitored to ensure everything works at least as well as it did pre-update.

The result, according to Microsoft, is a “rollout cadence that balances speed and efficiency, optimising product uptime”.

**But not without caveats**

It would be unrealistic to think all networks and devices can simply switch on this new service. Indeed, there’s quite a list of requirements before you can get anywhere near this process. There’s no hardware requirements, though you can’t use it in conjunction with a “bring your own device” (BYOB) policy.

From Microsoft’s blog:

**Intune only**:

*   Azure Active Directory (Azure AD)
*   Microsoft Intune
*   Windows 10/11 supported versions

**Co-management**:

*   Hybrid Azure AD-Joined or Azure AD-joined only
*   Microsoft Intune
*   Configuration Manager, version 2010 or later
*   Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (min Pilot Intune)
*   Co-management workloads

**What are the licensing requirements for Windows Autopatch?**

*   Windows 10/11 Enterprise E3 and up
*   Azure AD Premium (for co-management)
*   Microsoft Intune (includes Configuration Manager, version 2010 or greater via co-management)

**Not a magic fix for everything**

Patching is incredibly important to the well-being of your network and devices. However, as useful as Autopatch will no doubt be, it can’t fix everything. Sometimes vulnerabilities occur like the Follina zero-day, and there’s no patch forthcoming. When this happens, you need workarounds and mitigations, and defence in depth.

Security tools and smart security practises by device users are two of the additional ways to keep compromise at bay until updates are released. If you’ve been waiting on Microsoft Autopatch since it was first announced, stay tuned to upcoming Microsoft announcements. Just keep those caveats, and your security setup, in mind should you go and make the leap.

Microsoft Autopatch is here…but can you use it?

User data related to at least 500,000 Android accounts at risk

User data related to at least 500,000 Android accounts at risk

A chained, zero-day exploit could potentially expose all user data in the backend of the companion mobile application for a popular smart weight scale, security researchers have claimed.

Bogdan Tiron, managing partner at UK infosec firm Fortbridge, discovered five vulnerabilities in the Yunmai Smart Scale app, three of which he said could be combined to take over accounts and access user details such as name, gender, age, height, family relationship, and profile photo.

As of May 12, China-based IoT product vendor Zhuhai Yunmai Technology had apparently implemented a fix for only one of the flaws – and even then, Tiron said he managed to bypass the patch.

The flaws were discovered during a penetration test of the Yunmai Android and iOS apps.

**Tipping the scales**

The Yunmai Smart Scale and app allows users to record and track their weight, body-mass index (BMI), body fat percentage, visceral fat, and various other health indicators.

The Android application alone has been downloaded more than 500,000 times.

The chained exploit first involves abusing a enumeration flaw by brute-forcing s into leaking parent uid (‘’) account values. values are then used to add child (‘family member’) accounts to registered parent accounts, made possible by the API’s failure to perform authorization checks.

Catch up on the latest IoT security news

Finally, when the family account is created the corresponding ‘’ and ‘’ are leaked and could be leveraged by attackers “to impersonate the ‘family member’ accounts, switch between the accounts of the family members, and query all their data”, according to a blog post penned by Tiron.

A fourth flaw, meanwhile, means attackers could take over any user account because the Android ‘password reset’ function fails to properly invalidate previously generated ‘forgot password’ tokens when a user requests a new ‘forgot password’ token (the function did not work at all on the iOS app).

“As a result, an attacker can request multiple tokens to be sent to the victim’s email, in order to increase his chances of guessing that code and changing the victim’s password,” said Tiron.

The fifth and final flaw saw the researcher bypass a limit of 16 family members per primary account, as the limit is enforced client-side but not server-side.

**Partial patch**

Tiron disclosed the flaws during September and October 2021. Yunmai’s support team responded to the initial disclosure, but the development team still has not replied, with Fortbridge last emailing them directly on May 18.

Tiron published his findings on May 30.

“To the best of my knowledge none of the findings have been fixed,” the researcher told The Daily Swig. “Last time I have checked on 12th of May, all findings were still unpatched.”

The researcher said he successfully circumvented the sole observed fix, for the ‘forgot password’ issue.

“Unfortunately, Yunmai users are exposed to these issues and there’s nothing they can do to protect themselves at the application level, because these are all issues with the backend API and only Yunmai developers can fix them,” Tiron continued.

“IoT devices have gained a bad reputation in terms of security in the last couple of years and it’s sad to see that things have not improved. We would have expected that Yunmai did at least a pen test before releasing this product or at least that they would have been more responsive when we reached out to them.”

We have invited Zhuhai Yunmai Technology to comment on these findings and will update the article if and when they reply.

As previously reported by The Daily Swig, Fortbridge research has last year included the discovery of serious remote code execution (RCE) vulnerabilities in popular open source content management systems (CMS’) Concrete and Joomla, as well as in web hosting platform cPanel & WHM.

YOU MIGHT ALSO LIKE Horde Webmail contains zero-day RCE bug with no patch on the horizon

Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

China suspected in assaults against enterprises running collaboration platform

John Leyden 06 June 2022 at 12:53 UTC

China suspected in assaults against enterprises running collaboration platform

Confluence Server and Data Center users are being urged to update their systems in response to a remote code execution (RCE) vulnerability that’s the target of active attacks in the wild.

The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.

Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.

**CISA warning**

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or else remove affected instances by the close of business on Monday, June 6.

Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.

Catch up with the latest cyber-attack news and analysis

Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behinder’, in an attempt to evade detection.

“Once Behinder was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.

The tools and technique behind the attack have allow Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.

Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.

No word back, as yet, but we’ll update this story as and when more information comes to hand.

DON’T MISS Researcher goes public with WordPress CSP bypass hack

Incoming! Atlassian Confluence attacks prompt calls for rapid patching

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.
Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021.
Both relate to a case of

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.

Tracked as **CVE-2022-26134**, the issue is similar to **CVE-2021-26084** — another security flaw the Australian software company patched in August 2021.

Both relate to a case of Object-Graph Navigation Language (OGNL) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.

The newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -

*   7.4.17
*   7.13.7
*   7.14.3
*   7.15.2
*   7.16.4
*   7.17.4
*   7.18.1

According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.

Evidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.

"The targeted industries/verticals are quite widespread," Steven Adair, founder and president of Volexity, said in a series of tweets. "This is a free-for-all where the exploitation seems coordinated."

"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this vulnerability.

**Vulnerability Details**

The vulnerability, CVE-2022-26134, is reportedly associated with command injection. An attacker could exploit this vulnerability to execute remote code and, per reports, is being actively exploited in the wild. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as webshells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.

The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations.

**Mitigations**

Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2022-26134:

**SIDs: 59925-59934**

Tag

#zero_day