Blog
07.08.2022

Atlassian Confluence Vulnerability Attack – Virsec Protects Your System

By Virsec

Over the Memorial Day weekend, cyber security firm, Volexity, identified a security vulnerability on the Atlassian Confluence Server software. On June, 2, 2022, Atlassian published a security advisory for customers using Atlassian Confluence (a team workspace application) about a zero-day vulnerability.

This vulnerability allowed attackers to execute a remote attack on Confluence Server or Data Centre products. So, what does this mean in cyberattack terms? Attackers can leverage this vulnerability in different ways. They can drop potentially malicious payloads, take over an account, disrupt business continuity, and even hold critical data hostage for ransom.

Almost immediately, the company released mitigation information, but attacks kept surging even a few weeks after the vulnerability was identified. This has illustrated the need for deploying security solutions that can address the blowback stemming from system vulnerabilities.

 

Understanding the Attack Pattern

image (24)

We already know we are dealing with an unauthenticated remote code execution vulnerability. The attack kill chain, begins with the attacker searching for a vulnerable Confluence server, and upon discovery, the vulnerability is exploited to gather information such as IP address, and user info. It can even be used to download a backdoor that can help make more inroads later on in the attack.

The next stages in the attack kill chain include the attacker leveraging the backdoor to drop malware and get user privilege to accounts that can only be accessed by authorized users only. This allows the attack to spread laterally through the network and impact connected systems. It is important to underline that the extent of the attack is determined by the attacker’s objectives.

So far, all is well and good for the attacker. There is no pushback, but this only happens if there is no security solution defending this attack.

What if you have Virsec holding down the fort for you?

Virsec enters the arena before the attack can progress laterally, right at attack stage #3, blocking the zero-day command injection attack. Attackers are stopped right before they can wreak havoc, and it doesn’t end there. Virsec also prevents attackers from running malicious software or commands even in the later stages of the kill chain.

image (25)

 

Virsec in Action

Here's a drilldown on how Virsec can protect your organization from cyber attackers targeting the Confluence server.

Initially, before using the attacker box, the Confluence server is stable and protected by Virsec.

image (26)

In order to demonstrate the attack, a web shell is launched by running a command. The success of the exploit is illustrated by accessing the IP details of the victim machine. A ‘whoami’ command, helps verify the user, and it is confirmed that it is a Confluence user.

image (27)

The attacker now has the liberty to perform malicious actions including privilege elevation, backdoor installation, and much more.

On the CMS dashboard, users can see two tickets for command injection, which also help identify the attacker’s IP address.

image (28)

Virsec reports another ticket as the ‘whoami’ command.

image (29)

If and when the protect mode is enabled in the Confluence server, the exploit is unsuccessful as Virsec blocks remote code execution.

image (30)

 

Patches are Good, But Protection is a Must

There is a reason why attackers love a zero-day vulnerability. It is called zero-day, because the vulnerability is public, but the security patch that addresses this vulnerability isn’t rolled out yet. It may take a few days before the patch is rolled out to users, and it is this timeframe that is absolutely critical, when it comes to securing your systems. It offers the perfect window of opportunity to cybercriminals to launch their attack. In the event that your server/system remains unprotected, criminals will have a field day exploiting the vulnerability.

Virsec is purpose-built to defend against zero-day attacks by delivering complete visibility over unintended deviations of the intended application execution. Organizations can leverage full-stack visibility and deterministic detection and protection to defend against attacks within milliseconds.

The age-old adage, “prevention is better than a cure,” perfectly suits the world of cybersecurity. Bolting the doors to your house and deploying cutting-edge security to protect unauthorized ingress is much better than knowing thieves have entered your house and made off with valuables.

Virsec blocks attacks before they can cause problems. It is the security you need irrespective of the nature of the attack, zero-day or otherwise.