Amid NSA warning, attacks on Confluence have risen in recent weeks
The National Security Agency’s recent warning about nation-state actors exploiting a vulnerability affecting Confluence wasn’t merely a delayed confirmation of information that the cybersecurity community already had on its radar. It also appears to tip off new exploitation of the vulnerability — hackers have been dramatically stepping up the pace and persistence of their attacks on the popular workplace collaboration software in recent weeks, according to new private sector research obtained by CyberScoop.
The attackers are using a vulnerability that Confluence warned about this spring, according to data from Trend Micro’s TippingPoint technology. And while the NSA issued an advisory last week about the bug, it only says nation-state hackers “have exploited” and “could” exploit the vulnerability, not going so far as to say there has been a recent uptick in attacks.
New information suggests now that the agency had specific reasons to share the guidance this fall: Starting in late September, just weeks before the NSA made its announcement, hackers began exploiting the vulnerability two to three times per day, according to Trend Micro.
The cybersecurity company had seen actors exploit the vulnerability in the months prior, but the attackers then were targeting less frequently, and the uptick in September was particularly notable because it did not appear to abate over a month later, according to the data.
The data also show a brief spike in activity in July.
When reached for comment, NSA press officer Donna Lohr confirmed the “NSA released this advisory based on an uptick in use of this vulnerability,” and emphasized patching the vulnerability.
“NSA would like the community to understand that there is always sound reasoning behind the timing of our advisories; they should be viewed as a call to act,” Lohr said.
The vulnerability, known as CVE-2019-3396, has allowed actors to drop Gandcrab ransomware in the past, according to Alert Logic. It also allows for actors to deploy cryptocurrency mining malware, according to previous Trend Micro research, although it was not immediately clear what the exact targets were in the recent flurry of attacks.
When asked for comment on where targets of the recent spike in exploitation are located, if the same machines were targeted in the spring and the fall, and what threat actors were behind the activity, a Trend Micro spokesperson declined to comment, only noting that the detections were “across its customer base.”
The NSA’s warning on the matter, issued Oct. 30, does not share statistics on exactly when the NSA has seen the vulnerability exploited, how recently it’s been exploited, or the frequency and magnitude of attacks.
But the updated timeline of attacks shows the NSA’s new Cybersecurity Directorate, stood up just one month ago, to be sharing warnings with the public in an unclassified way of threats it is seeing as they are bubbling up — a process which the NSA is working on improving. Just last month the director of the new cybersecurity division said the process of declassifying threat tips and sharing them quickly with the public is a process that needs to be ironed out more to ensure it is giving timely and relevant information to the private sector on nation-state threats.
Beyond giving an eye into whether the NSA is meeting its goals to share relevant information, the resurgence of exploitation of the Confluence vulnerability is a reminder for the broader community that just because companies disclose vulnerabilities in public ways, administrators will not always follow suit by patching.
The NSA recommends patching and disabling the Widget Connector and WebDav plugin2, and provides more information on remediation here.