About 50 vulnerable networks were sold on an underground forum by an unidentified hacker, which was collected by exploiting the recent zero-day vulnerability on Atlassian Confluence. According to the researchers, the networks are available on the popular Russian dark web forum XSS.
The sold networks were gained through Atlassian Confluence’s unauthenticated RCE flaw tracked as CVE-2022-26134, which many threat actors had abused before a patch was published this June.
According to the researchers’ findings, the hacker selling the vulnerable networks also offered over 10,000 unexploited vulnerable machines that are not yet published on the forum.
While the number of the unpublished unexploited vulnerable machines offered by the malicious seller was deemed too high to be believable, the researchers said that the seller’s good reputation on the forum could tell that their claims could be true.
Hence, it implies that many organisations could be included in this compromise and must check their environment to verify any unusual activities in their previous records, especially those utilising the Atlassian Confluence in their operations.
Moreover, these companies are advised to apply VPN on their Confluence servers to limit exposure to a possible compromise. Patching the recent Confluence vulnerability could also aid them in avoiding being attacked.
The researchers added that internet-facing platforms had been an interesting avenue for threat actors to conduct their attacks since employees in an organisation actively use the service, allowing them to access vulnerable networks through their keenly engineered ways.
The Atlassian Confluence RCE flaw was already found to be abused by state-backed threat groups after numerous victims have reported being attacked. For instance, a victim posted on Twitter about how their organisation was infected with the Cerber2021 ransomware rooted in the Atlassian zero-day bug.
Based on the studies conducted on the Atlassian vulnerability, most countries hit by threat groups abusing it was the US, China, and Germany. Meanwhile, the attacks have originated in Russia, US, Germany, India, and Netherlands.
