Multiple threat actors are descending on on-premises Atlassian Confluence software to exploit a critical vulnerability that was detailed and patched last week.

Threat intelligence researchers from cybersecurity firms Rapid7 and GreyNoise this week reported that over the weekend, they tracked attackers targeting enterprises running Atlassian’s Confluence Data Center and Confluence Server solutions with a number of threats, including Cerber ransomware.

The attacks come after a week of Atlassian executives pleading with users to either patch their vulnerable systems immediately or cut them off from the internet until the patch can be applied.

The flaw, tracked as CVE-2023-22518 and initially given a severity rating of 9.1 out of 10, is an improper authorization vulnerability that affects all on-premises versions of the software. Cloud instances are not impacted.

If exploited, the flaw “allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account,” Atlassian wrote in its advisory initially posted October 31. “Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability.”

Bala Sathiamurthy, Atlassian chief information security officer, wrote in the advisory that organizations running the Confluence software are “vulnerable to significant data loss” if the bug is exploited by an attacker.

After first issuing the advisory and saying there were no known exploitations of the vulnerability, Atlassian updated it November 2 alerting users about publicly posted information about the flaw that “increases risk of exploitation.”

The Attacks Begin

A day later, the company said a customer reported an active exploit and again urged organizations to patch the software. Three days after that, Atlassian said there were “several active exploits and reports of threat actors using ransomware” and that it was escalating the severity rating from 9.1 to 10 “due to the change in scope of the attack.”

The DFIR Report on X (formerly Twitter) posted screenshots from attacks it had seen, including a ransom note from C3RB3R (Cerber), which according to cybersecurity firm Proofpoint is a ransomware-as-a-service (RaaS) malware first discovered in 2016.

Andrew Morris, co-founder at CEO at GreyNoise, posted on X that the cybersecurity vendor has seen three IP addresses originating from Russia, France, and Hong Kong trying to exploit the Atlassian vulnerability and a significant spike in attempts on November 5.

Rapid7 researchers wrote that in that “multiple attack chains” they saw “post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41 which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”

They added that they saw a process execution change that was consistent across Windows and Linux environments, an indication that there was a “possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.”

Atlassian noted that the fixed versions of Confluence Data Center and Confluence Server are 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1. Organizations should upgrade to one of the patched systems.

If not, there are temporary mitigations, including backing up the instances or removing them from internet until the patch is installed.

Atlassian executives said the vendor can’t confirm if an instance has been affected by the flaw, saying that organizations should check with their security team. That said, evidence of a compromise includes not being able to log into the instance, installed unknown plugins, encrypted files or corrupted data, or unexpected members of the confluence-administrators group appearing.

In addition, enterprises should check for compromise if they uncover newly created user accounts that were not expected or see requests to “/json/setup-restore*” in network access logs.

Atlassian is no stranger to bad actors taking aim at Confluence software.

“Because Confluence Data Center and Server is often an internet-facing asset, it has become a popular target for cybercriminals over the last few years,” wrote Satnam Narang, senior staff research engineer at Tenable.