Ransomware attackers are exploiting a widespread zero day vulnerability in all supported versions of Atlassian Confluence Server and Data Center, according to Microsoft. The vulnerability is now considered critical, as attackers are leveraging it in a variety of different ways.

Atlassian Confluence

Atlassian Confluence is a team workspace application used by roughly 75,000 customers. According to researchers, the scale of malicious activity around this zero day (CVE-2022-26134) is on-par with that surrounding the Apache Log4j vulnerability.

Attacks appear to be targeted. In the US, federal agencies have been ordered to disconnect from the application.

Atlassian Confluence zero day

Towards the end of May, a critical unpatched vulnerability was reported to Atlassian. Shortly thereafter, the company instructed users to either restrict the tool’s internet access or to disable it entirely. The bug was officially patched on June 3rd . Nonetheless, unpatched systems continue to present risk.

Microsoft recently released guidance to assist customers in assessing and remediating the vulnerability, associated payloads, and corresponding malicious activity on networks. The vulnerability can permit attackers to perform remote code execution.

Ransomware risk

In some cases, experts showed that affected devices were running separate instances of malicious activity. This included device and domain discovery, and the deployment of payloads such as Cobalt Strike, ransomware, web shells and botnets.

“In particular, we observed the CVE-2022-26134 being exploited to download and deploy the Cerber2021 ransomware,” stated Microsoft.

At least one victim issued a Twitter post stating that they were hit with the Cerber2021 ransomware due to the Atlassian bug.

Ransomware details

In particular, the AvosLocker ransomware has been observed exploiting the Atlassian Confluence bug. It’s unclear as to who is deploying AvosLocker. Researchers speculate that attackers may work for nation-state groups.

Other threat actors

According to Check Point, one of the other threat groups pursuing the Atlassian Confluence vulnerability is the “8200 gang.” This group performs mass internet scans to isolate vulnerable Windows and Linux endpoints.

After identification, the group plants “miners” or cryptomining software. In turn, victims experience reduced server performance, increased operational costs, and may see general business disruptions.

Attack expansion

Initial system access through the Atlassian Confluence bug guarantees attackers the opportunity to escalate and expand their attack. In other words, the attackers could start out crypto mining and then choose to deploy malware, enable botnet operations and siphon off data…etc.


According to Censys researchers, roughly 9,325 services across 8,347 hosts run some version of Atlassian Confluence. Data suggests that most instances are in the US, China and Germany – each of which retains at least 1,000 vulnerable hosts.

CISA has released a warning pertaining to the bug, which has been added to the group’s catalog of known exploited vulnerabilities.

Zero day resources

Prevent zero day attacks on your devices and systems. The following resources can assist.

For more expert insights into zero day attacks, see this CyberTalk.org interview. Lastly, to receive cutting-edge cyber security news, exclusive interviews, detailed analyses and the latest security resources, please sign up for the CyberTalk.org newsletter.