Recent Exploit Activity Involving CVE-2021-26084 in Atlassian Confluence

Since September 1, in-the-wild exploit activity has been detected for CVE-2021-26084, a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center. In the weeks that followed, there have been write-ups from vendors including Trend Micro, Fortinet and Lacework providing insight into the exploit activity.

Trend Micro: Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits

Fortinet: Recent Attack Uses Vulnerability on Confluence Server

Lacework: Muhstik Takes Aim at Confluence CVE 2021-26084

One of the primary ways attackers are leveraging CVE-2021-26084 is by implanting cryptocurrency miners, also known as cryptominers onto vulnerable systems. A cryptominer is a type of software that uses system resources in order to solve complex, mathematical equations as part of validating transactions and securing the respective network. To reward those that solve these equations the fastest, the network will reward these miners with cryptocurrency. Attackers are compromising vulnerable systems in order to make money through these cryptominers.

Researchers have also observed activity tied to Muhstik, an internet-of-things (IoT)  botnet that has a history of targeting unpatched flaws in web applications in order to implant cryptocurrency miners as well as harnessing the power of its botnet to launch distributed denial of service (DDoS) attacks.

For more information about CVE-2021-26084, including the availability of patches and Tenable product coverage, please visit our blog.