Users of Atlassian should hurry to patch a remote code execution exploit that has been linked to hackers in China. The attackers were able to use the zero-day vulnerability to breach a number of organizations before the issue was detected and remediated.
The attacks were first noted by security researchers in late May. Atlassian warned customers of the possibility of remote code execution in early June, but did not yet have a patch ready (nor were able to offer any useful remediation techniques other than blocking all internet traffic). The patch followed shortly, however; users running Confluence Server 7.18.0 and/or Data Center 7.4.0 or newer will need to update to a new version to fix the issue.
Second remote code execution vulnerability to hit Atlassian in a year described as “critical”
The new zero-day vulnerability follows another remote code execution issue that was discovered in Atlassian in August 2021. Like the current issue, it was discovered by threat actors and there were a number of successful attacks in the wild before it was patched out. One key difference there is that it appeared to be a criminal group that discovered it, as they used it to plant crypto miners on target systems. There is evidence that this current issue was found and exploited by China’s state-backed hacking teams.
This continues a general trend of zero-day vulnerabilities being exploited by nation-state hacking teams. Those that discover these flaws often find that selling them to these advanced persistent threat groups is more profitable than attempting to directly make use of them, and nation-state hackers have been known to sit on them for long periods before choosing an opportune moment to deploy them.
Zero-day vulnerability put to use in several attacks, “hundreds” of additional attempts followed publication
The remote code execution flaw exclusively impacts Atlassian’s self-managed server products, which the company has announced will be retired by 2024. Atlassian Cloud, which the company is urging customers to migrate to, is not impacted.
Prior to the issuance of the patch, Atlassian’s only remedy for the zero-day vulnerability was to have clients either block all traffic to the impacted products or simply take them offline. After the exploit was published, the federal government ordered all of its agencies to do exactly that. The publication of the zero-day vulnerability also led to an immediate spike in attempts to use it, with “hundreds” of attackers from around the world joining the initial China-linked actors within the space of a couple of days.
Immediate patching is strongly recommended due to the simplicity of scanning for and exploiting the vulnerability; some security researchers have described it as “as bad as it gets.” Confluence Server and Data Center need to be updated to versions number 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, or 7.18.1 to be protected from the flaw. An estimated 9,000 systems worldwide are thought to be vulnerable to this attack and in need of immediate updating as the only available means of protection.