Confluence Critical Vulnerability, Macros, & MSPs

From apps to MSPs, threat actors continue to find ways to gain entry into victims’ networks. 

Latest Threat Intel News:

Questions for Confluence Critical Vulnerability (CVE-2022-26138)

A security researcher identified a global default password used in the Questions for Confluence app. Threat actors are actively attempting to login to impacted Confluence instances. When the Questions for Confluence app is enabled on Confluence Server or Confluence Data Center, it creates a default user account with a hardcoded password. This allows any remote, unauthenticated user with knowledge of the hardcoded password to gain access that includes viewing and editing permissions to all non-restricted documents. After the hardcoded password was leaked on social media, it didn’t take long for cybercriminals to start exploiting the vulnerability on unpatched systems.

Why This Matters

Unpatched vulnerabilities remain a top vector for threat actors to gain an initial foothold into the networks of unwitting victims. Avoid being the low-hanging fruit for cybercriminals by implementing an effective vulnerability and patch management program.

Additional Information:

• "Questions For Confluence Security Advisory 2022-07-20" (Confluence)

• "Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138" (Rapid7)

After Macros, What’s Next?

After previously reporting Microsoft’s decision to once again block VBA macros by default, some might be wondering what’s next for threat actors. Rather than expecting a white flag from frustrated cybercriminals, Proofpoint reports threat actors have been pivoting to other types of malicious documents including ISO, RAR, and LNK files attached to emails. Amidst a 66% decline in macro campaigns, there has been a 1,675% increase in campaigns using LNK files, including by actors distributing Bumblebee malware. These phishing emails are part of an attack ecosystem that can lead to ransomware actors gaining access to environments and deploying ransomware.

Why This Matters

While some of the technical details may have changed, the method remains the same: cybercriminals are sending malware to user inboxes. Email security remains paramount. Endpoint protection likewise provides an extra layer of protection if a malicious email attachment is opened by a user.

Additional Information:

• "How Threat Actors Are Adapting to a Post-Macro World" (Proofpoint)

Managed Service Providers Continue to be Prime Targets

A threat actor gained the attention of security researchers this week after claiming to have secured initial access to a US-based managed service provider (MSP). MSPs typically provide IT infrastructure and support that numerous organizations rely on for their operations; therefore, MSP compromise can have a domino effect of destruction. In the present case, there has been no confirmation on the veracity of the claim, nor the identity of potential victims.

Why This Matters

Compromising MSPs provides attackers a gateway to numerous other victims. Since an MSP effectively becomes an extension of their client's business, security should always be an important consideration when shopping for an MSP solution.

Additional Information:

• "Experts warn of hacker claiming access to 50 U.S. companies through breached MSP" (The Record)

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.