My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518)

Published: 2023-12-20. Last Updated: 2023-12-20 15:31:05 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today, exploit attempts for CVE-2023-22518 cross the "significant" threshold for our "First Seen URLs" list. The URL being accessed, "/json/setup-restore.action?synchronous=true", can be used to bypass authentication [1]. Due to a failure to properly control access to this path, the attacker can execute the "setup-restore" feature, which restores the database using attacker-supplied data and can lead to system command execution.

Attacks for the vulnerability started early in November, shortly after the vulnerability was announced. At the time, the attacks were more targeted to specific hosts. Now we are seeing more widespread scans typical for attackers trying to "clean up" instances earlier attacks may have missed.

graph of attack volume from early november to late december 2023 for the atlasian auth bypass URL

One IP address has been particularly active: 128.199.91.64. This IP address, hosted with Digital Ocean, appears to specialize in Confluence vulnerabilities, with sporadic activity back to October 2023. 

Interestingly, and somewhat concerning, the IP address is associated with the hostname repo.walnut.asia based on DNS and hostnames in certificates offered by the system. On port 443, a Jira instance is responding. This may indicate that the system itself is compromised. Walnut.asia is an employee health/wellness company, according to their website. I will be reaching out to notify them.

[1] https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments


Diary Archives