top of page

Ransomware Threat: Atlassian and Apache Vulnerabilities Exploited by Hackers

In an alarming turn of events, cybersecurity experts are sounding the alarm as multiple ransomware groups actively exploit recently disclosed vulnerabilities in two prominent platforms: Atlassian Confluence and Apache ActiveMQ.


Rapid7, a cybersecurity firm, has reported the active exploitation of two critical vulnerabilities, namely CVE-2023-22518 and CVE-2023-22515, across various customer environments. Some of these attacks have already resulted in the deployment of Cerber ransomware, also known as C3RB3R. Both of these flaws grant threat actors the ability to create unauthorized Confluence administrator accounts, potentially leading to data loss.


The situation has escalated to the point where Atlassian, the Australian software company, updated its advisory on November 6th. In the revised advisory, Atlassian acknowledged that it had observed "several active exploits and reports of threat actors utilizing ransomware." As a response to the evolving threat landscape, Atlassian has raised the CVSS score for the vulnerability from 9.8 to the maximum severity level of 10.0.


The attack vectors typically involve the mass exploitation of vulnerable internet-facing Atlassian Confluence servers. These servers are targeted to retrieve a malicious payload hosted on a remote server. Once executed, this malicious payload leads to the activation of the ransomware on the compromised server. Notably, the attacks have been traced back to three different IP addresses in France, Hong Kong, and Russia, as per data collected by GreyNoise.


In parallel, Arctic Wolf Labs has brought to light another concerning revelation. A severe remote code execution flaw has been identified in Apache ActiveMQ, marked as CVE-2023-46604, with a CVSS score of 10.0. Cybercriminals are capitalizing on this vulnerability to distribute a Go-based remote access trojan called SparkRAT. Additionally, a ransomware variant, which exhibits similarities to TellYouThePass, is also being unleashed.


The evidence of the exploitation of CVE-2023-46604 from multiple threat actors with varying objectives underscores the urgency of addressing this vulnerability. Rapid remediation and comprehensive security measures are critical in the face of these evolving threats.

1 view0 comments

Recent Posts

See All

Comments


bottom of page