Atlassian escalates its Confluence threat warning to '10'
Security and government agencies at risk in mass ransomware exploit of Atlassian software flaw
Government organisations are at risk after a mass hack attack delivered ransomware to the systems of multiple organisations using flawed Atlassian Confluence collaboration software, according to alerts raised by the firm and security vendor Rapid7.
Atlassian escalated its threat warning to "10" on Monday, the "highest, critical rating" on the CVSS scale, after observing "several active exploits and reports of threat actors using ransomware".
"Remove your instance from the internet until you can patch, if possible," it warned.
Rapid7 believes attackers have launched a mass attempt to exploit internet-facing Atlassian servers. Most of the attacks executed the same chain of software processes to exploit a flaw in account authorisation code used by Atlassian's Confluence Data Center and Confluence Server systems.
The risk of UK government exploits looked high since the Cabinet Office ordered departments using the software to install it on their own private cloud computing systems, and not to run it from a public cloud system such as Atlassian Cloud. Only Atlassian Cloud users were protected from the exploit without emergency measures, the software firm said. But according to exploits reported in the last few days by Atlassian and Rapid7, customers have either not got or not heeded the warning.
The UK uses it in high-sensitivity systems operated by the Ministry of Defence, HM Courts & Tribunals Service, the NHS, HM Revenue & Customs and the Ministry of Justice.
US agencies using the Atlassian software include the Department of Defense and NASA. The US Space Force uses it to track and verify missions launches. Defence contractor BAE systems and telco firm Verizon use it as well. It is not known what UK defence and security agencies use the software.
Its approval for sale through the UK government's Digital Marketplace has seen it taken up by the departments of Work and Pensions, Education and Housing; the Office of National Statistics and Innovate UK as well. Companies that use it include German retailer Aldi and South African bank Absa.
Rapid7 said it has observed attacks happening in "multiple customer environments, including for ransomware deployment". It has received alerts of exploits from multiple customers. Neither firm said how many attacks were successful or what damage was done.
The US Federal Bureau of Investigations (FBI) and Cyber Infrastructure and Security Agency (CISA) warned Atlassian users to patch the exploit on 16 October, two weeks after the software firm first alerted customers to it, and two weeks before the recent spate of attacks.
Cloud computing experts have told Computing that most UK departments operate in the belief that they should not use public cloud computer systems because foreign software suppliers could not be entrusted with UK government data, and that they should use their own private cloud servers, to deliver internet services to users instead.
Attackers had used the flaw to install the Cerber ransomware program to Confluence Server. Rapid7 described the exploit and the attackers' process chain in detail.
Atlassian published defensive actions companies could take if they couldn't make the emergency update or take their systems online. They should switch their system over to one of five recent versions of its software in which it had patched the flaw, it said.