US law enforcement, cyber security orgs heighten calls to harden Confluence

Three American law enforcement and cyber security organisations have joined forces to call on organisations to patch the Atlassian Confluence Server and Data Centre vulnerability disclosed at the start of this month.

When patching CVE-2023-22515, Atlassian said the vulnerability may have already been exploited in some customer sites to create administrator accounts.

Last week Microsoft attributed the attacks to a Chinese actor.

Now, the FBI, the Cyber and Infrastructure Security Agency (CISA), and the Centre for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) have joined to author a paper [pdf] explaining the dangers in detail.

The joint cyber security advisory explained that “threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user."

“The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint,” the advisory stated.

It added: “Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts”.

The three organisations said the bug is easy to exploit, so they expect “widespread exploitation of unpatched Confluence instances in government and private networks.”

They add that they’ve observed two command line tools, the cURL URL toolkit and Rclone data-sync utility, being used for post-exploit data exploitation.

The paper added that two user-agent strings have been observed in request headers to vulnerable systems: Python-requests/2.27.1, and curl/7.88.1, adding that “an increasing variation in user-agent strings is expected”.