Diverse Set of IPs Exploiting Atlassian Vulnerabilities, Not Just a Few Bad Actors.
At GreyNoise, we focus heavily on analyzing data trends and anomalies, as they form a fundamental part of our business. While we collect a vast amount of data regarding unsolicited packets being transmitted across the internet, it is only meaningful if we look at the bigger picture.
We have recently introduced some changes to our back-end system for calculating the trending and anomalous events we update hourly here. This has already proven beneficial, as it helped us detect a sudden increase in malicious Atlassian exploitation attempts late last week (gee, I wonder why…).
Atlassian-related topics occupy seven out of the top ten trending tag anomalies at the time of this writing.
- Atlassian Confluence Server Scanner
- Atlassian Questions For Confluence Hardcoded Password Attempt (CVE-2022-26138)
- Confluence CVE-2019-3395 Attacker (CVE-2019-3395)
- Atlassian Confluence Template Injection Attempt (CVE-2019-3396)
- Atlassian Confluence Arbitrary File Read Attempt (CVE-2015-8399)
- Atlassian Confluence Server Privilege Escalation Attempt (CVE-2023-22515)
- Atlassian Confluence Server Authentication Bypass Attempt (CVE-2023-22518)
Digging a bit deeper into our other Atlassian tags, a similar spike appears (just wasn’t enough to make the top 10):
- Atlassian Confluence Server OGNL Injection Attempt (CVE-2021-26084)
- Atlassian Jira Path Traversal Attempt (CVE-2021-26086)
- Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt (CVE-2022-26134)
We conducted an analysis on the various spikes and attempted to determine if they were all caused by the same few IPs searching for all possible vulnerabilities. However, our findings suggest a fair distribution of IPs trying to exploit different vulnerabilities. After examining data from the past 24 hours, we found that the highest number of overlapping IPs across all the tags mentioned above was only 9, with 67% of the total IPs seen only once.
As the year ends, ensure your Atlassian products are secure by removing them from the public internet and keeping them up to date. If they’re still unpatched, it likely is too late to avoid compromise. For extra measure, use our dynamic IP blocking feature to protect your organization from opportunistic mass exploitation.
Now time to indulge in some eggnog and downtime!