Priya PatelTLDR:
- Fresh proof-of-concept (PoC) exploits have been found for a widely targeted Atlassian Confluence Data Center and Confluence Server flaw.
- Attackers can execute arbitrary code within Confluence’s memory without touching the file system.
According to a recent article on Dark Reading, new proof-of-concept exploits are being circulated for a critical vulnerability in Atlassian Confluence. The CVE-2023-22527 remote code execution (RCE) vulnerability was disclosed in January and has become a target for malicious actors. These exploits allow attackers to execute arbitrary code within Confluence’s memory without needing to access the file system. Researchers at VulnCheck have identified 30 unique in-the-wild exploits for this vulnerability, with most attacks loading the Godzilla Web shell. However, there is a new trend of utilizing in-memory payloads for stealthier attacks.
This approach allows malicious actors to exploit the Confluence vulnerability by loading an in-memory Web shell directly, granting them unauthorized access to web servers. This technique is more stealthy and less likely to be detected by defenders, posing a significant risk to organizations that have not patched their Confluence instances. The article emphasizes the importance of evolving defense strategies to detect such attacks, such as network-based detection or scanning Java memory for malicious Web shells.
VulnCheck’s CTO, Jacob Baines, highlights the attractiveness of targeting Confluence for ransomware attackers due to the wealth of business information it holds. As organizations face increased risks from these stealthy in-memory exploits, it is crucial to prioritize security measures and patching to prevent unauthorized access to sensitive data.
