Atlassian’s wiki software Confluence Server and Data Center are vulnerable – and that is exactly what attackers are currently exploiting. According to observations by security researchers, attackers scan for systems, attack them and try to install a crypto Trojan.
Attacks on Linux and Windows servers
As “critical“The classified security hole (CVE-2021-26084) can be found in Confluence Server Webwork OGNL. Much information about possible attack scenarios is not known. Attackers must be authenticated for successful attacks. In some cases, however, attacks should also be possible without authentication.
Among other things, security researchers are now warning of bad packets on twitter against attacks on Linux and Windows servers with vulnerable Confluence versions. After a successful attack, the crypto miner XMRig, for example, is supposed to land on systems and shred their computing power for mining cryptocurrency.
If not a patch, then a workaround
But it doesn’t have to stop there and attackers could also leave back doors or spy Trojans on servers. They could also compromise entire networks and, for example, copy internal business information. Admins should quickly get one of the secured versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0 to install. All younger versions are said to be vulnerable. Atlassian advises admins to install Long-Term Support Edition 7.13.0 (LTS). A post explains how to upgrade.
If admins cannot currently install a security update, they should temporarily secure the Confluence server with a script for Linux or Windows (to be found under Mitigation).