Linux botnets now exploit critical Atlassian Confluence bug

Several botnets are now using exploits targeting a critical remote code execution (RCE) vulnerability to infect Linux servers running unpatched Atlassian Confluence Server and Data Center installs.

Successful exploitation of this flaw (tracked as CVE-2022-26134) allows unauthenticated attackers to create new admin accounts, execute commands, and ultimately take over the server remotely to backdoor Internet-exposed servers.

After proof-of-concept (PoC) exploits were published online, cybersecurity firm GreyNoise said it detected an almost ten-fold increase in active exploitation, from 23 IP addresses attempting to exploit it to more than 200.

Among these attackers, Lacework Labs researchers found three botnets, tracked as Kinsing, Hezb, and Dark.IoT, known for targeting vulnerable Linux servers and deploying backdoors and cryptominers.

Kinsing has also targeted Confluence in the past using another critical Atlassian Confluence RCE flaw to install cryptomining malware after a PoC exploit was released online.

The Hezb botnet previously deployed Linux-compatible Cobalt Strike beacons and XMRig miners on servers running unpatched WSO2 products.

Dark.IoT is also known for dropping coinminer payloads while targeting Microsoft Azure VMs with OMIGOD exploits and hundreds of thousands of devices using Realtek SDK.

"Exploits involving Confluence are always popular among various threats including those targeting cloud," Lacework Lab explained.

"While Lacework Labs observed a lot of activity relative to other exploits, there is still low exposure compared to the more impactful 'coffee break' vulnerabilities such as those involving log4j or apache."

Widely exploited, federal agencies ordered to mitigate

Since it was disclosed as an actively exploited zero-day bug last week by cybersecurity firm Volexity, CISA has ordered federal agencies to block all internet traffic to Confluence servers on their networks.

Volexity also revealed that multiple threat actors from China are likely using exploits to target vulnerable servers unpatched against this RCE flaw (tracked as CVE-2022-26134) to deploy web shells.

One day after this actively exploited bug was disclosed, Atlassian released security updates and urged customers to patch their installations to block ongoing attacks.

"We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," Atlassian said.

If you can't immediately upgrade your Confluence install, you can also use a temporary workaround that requires updating some JAR files on the Confluence server, as detailed here.