A 9.8-criticality CVE was recently discovered in Atlassian’s Confluence server that sent many information security professionals scrambling over the Labor day weekend. This CVE is trivial to exploit, and the capability has been validated by the Randori Hacker Operations Center (@RandoriAttack).
CVE-2021-26084 grants attackers the ability to execute code remotely on the Confluence server. This is key because it gives adversaries an initial foothold into a vast number of organizations’ networks. Many companies have confluence on their perimeter. Once attackers gain initial access to perimeter assets, they can collect information, escalate privileges and move laterally into any system which uses confluence.
Our attack team encourages anyone with exposure to CVE-2021-26084to immediately apply the patch issued by Atlassian, as well as make sure that their servers have not already been compromised. For a free demo of your attack surface and to see if you’re exposed, click here.
However, given the rise of yet another critical vulnerability over a long weekend – rather than break down the specifics of this bug, this blog focuses on a bigger question – why does this keep happening?
New Bug, Same Problem – How Reactive Security is Stressing Everyone Out
Last July, following a similar critical vulnerability disclosure ahead of the Fourth of July holiday, my colleague Evan Anderson wrote a piece on how security teams can avoid the scramble. In light of this weekend’s event, I want to steal (with slight edits) a section from his earlier blog that you may find helpful. (You can read his full blog here: Avoiding the Scramble, Reflections on CVE-2020-5902)
What lessons can defenders take from CVE-2021-26084?
- If you didn’t know if you had Confluence exposed to the internet, you need to focus on getting better visibility into your public attack surface.
- If the administration interfaces are exposed to wide ranges of internal network, you need to work on your internal attack surface
- If you knew you were exposed but lacked visibility to determine if they had already been exploited, you need to invest in better logging and monitoring.
- If you had visibility but didn’t detect malicious activity or were unable to respond effectively, you need to improve the agility of your detection & response efforts.
- Realized adversaries also have budgets, limited compute resources and time — by carefully applying your resources, you can make it too expensive or time consuming to hack you.
For some, the scramble is unavoidable — things happen. But for you, it doesn’t need to be — all it takes is good visibility and a proactive security posture. The Randori Hacker Operations Center was quick to jump on working toward those objectives with CVE-2021-26084 in Confluence, and was able to provide that insight to our customers within hours. If your network was affected by the Confluence Breach and you want to increase your visibility and lower your future risk, explore an ASM solution.