Hacker selling access to 50 vulnerable networks through Atlassian vulnerability

A hacker is selling access to 50 vulnerable networks on a cybercriminal forum after breaking into systems through the recently-discovered Atlassian Confluence zero-day.

The Rapid7 Threat Intelligence team told The Record that it found an access broker on the Russian-language forum XSS selling root access to 50 vulnerable networks – all allegedly within the United States. 

Erick Galinkin, principal AI Researcher at Rapid7, said the access was gained through CVE-2022-26134, a widely-discussed unauthenticated remote code execution vulnerability. A patch for the bug was released earlier this month after the zero-day was discovered in May.

Galinkin explained that Rapid7 has seen an uptick in patching but noted that the sale underscores the critical need to patch and protect internet-facing servers specifically.

He shared a screenshot of the XSS post but censored the companies that are listed. 

A screenshot of the XSS post. (Erick Galinkin/Rapid7)

The broker selling access to the 50 networks also claims to have a list of 10,000 additional vulnerable but unexploited machines that they are also willing to sell.

“Our telemetry suggests that the 10,000 number is high, but the seller has a good reputation on the forum and so we are inclined to believe their claims,” Galinkin said. 

“Organizations should also analyze their environment to determine if there was an earlier compromise.” 

Galinkin and other analysts at Rapid7 are working to identify and notify the 50 companies directly. 

He recommended that companies put their Confluence servers behind a VPN as soon as possible to limit exposure and to patch the Confluence bug as soon as possible. Organizations should also look for signs that a successful compromise has already occurred.

“The thing that has made this particularly attractive as a target is that the affected application is often internet-facing, since it is used by employees across a company, and sometimes needs to be accessible to contractors and external partners. Ideally, it should be protected at least behind a VPN,” Galinkin explained. 

“I definitely anticipate forum posts like this to be used by ransomware groups, and there is good reason to believe…