Researchers at threat intelligence company Grey Noise detected a spike in exploit attempts targeting multiple known vulnerabilities in Atlassian software.
The list of the most targeted flaws includes:
-
CVE-2022-26138 - Hard-coded credentials in Questions For Confluence app for Confluence Server and Data Center
-
CVE-2019-3396 - Path traversal in Atlassian Jira
-
CVE-2023-22515 - Remote code execution in Confluence Data Center and Server
-
CVE-2023-22518 - Improper authorization in Atlassian Confluence Data Center and Server
-
CVE-2021-26084 - Remote code execution in Atlassian Confluence Server
-
CVE-2021-26086 - Path traversal in Atlassian Jira
-
CVE-2022-26134 - Remote code execution in Atlassian Confluence Server
-
CVE-2019-3395 - Server-Side Request Forgery (SSRF) in Confluence Server and Confluence Data Center
-
CVE-2015-8399 - Insecure Direct Object Reference in Confluence Data Center
The researchers said that exploitation attempts have been observed from various IP addresses.
“We conducted an analysis on the various spikes and attempted to determine if they were all caused by the same few IPs searching for all possible vulnerabilities. However, our findings suggest a fair distribution of IPs trying to exploit different vulnerabilities,” the researchers said.
In October, Microsoft reported that a China-linked state-sponsored threat actor it tracks as Storm-0062 (aka DarkShadow and Oro0lxy) has been exploiting CVE-2023-22515 as a zero-day vulnerability since September 2023. CISA, the FBI and MS-ISAC released a joint advisory detailing the vulnerability.
Given that Atlassian software is a very lucrative target for malicious actors, users are strongly advised to patch their installations as soon as possible.
