0day – Malware University

Atlassian has raised a storm with CyberCom (US Cyber Command) due to a critical flaw discovered in Confluence Server and Confluence Data Center. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already—this cannot wait until after the weekend,” said the official CyberCom Twitter account.

On August 25, 2021, Atlassian did issue a patch for this vulnerability, in which the developer stated arbitrary code execution could be reached by an unauthenticated user on a Confluence server or datacenter instance.

Jenkins, the popular CI/CD platform, was hit by attackers exploiting this new flaw. Attackers decided to deploy a Monero cryptominer on the company’s Confluence server. The service immediately took the server offline and rotated all passwords.

Researchers at Kaspersky stated the flaw is only possible to leverage from unauthenticated users if the “Allow people to sign up to create their account” option is enabled by administrators.

Please note Confluence Cloud is not affected.

Hackers attributed to the REvil group recently exploited an (internally) known 0day in Kaseya software to demand ransom worth 70,000,000 USD affecting at least 1000 businesses.

On Friday, July 2, 2021, the incident response team from Kaseya became aware of a security incident related to their VSA software. Hackers used the software to deploy the REvil ransomware into many victims’ environment. The malicious code is side-loaded by a fake Windows Defender app, encrypting files in return for ransom. “Kaseya VSA Agent Hot-fix” is the distributed name of the malware, which was also seen attempting to disable Microsoft Defender Real-Time Monitoring via Powershell.

The group sent out a message on July 2:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour."

How did the REvil group know a patch was forthcoming? Did they? It’s improbable this is a coincidence.

Assuming it is not, how were they alerted to a forthcoming patch which likely spurred an immediate decrease in their attack timeline? Insider alerting them? Prior compromise and a great analysis team?

Anything is possible when tens of millions of dollars, or more, are at stake. The most expensive 0days ($1,000,000+) are a drop in the bucket for groups eyes to rake in millions from one successful operation.

Former employees raised several software security concerns from 2017 through 2020 to company leaders. These concerns were not fully addressed, as sales were the focus of the business at the expense of other priorities. One employee sent a 40-page memo detailing many security concerns related to the software leading to his firing two weeks later. Customer passwords were stored in clear text on third-party platforms, among other bad habits.

Shame on Kaseya. Likely one of many professional software firms and IT management companies which fail to adhere to even basic security and administration best practices.

Tag: 0day

Atlassian Bug CyberCom

Kaseya Bullseye