How hackers exploited RCE vulnerabilities in Atlassian, Azure

Two of the most popular cloud providers in the enterprise market were recently subjected to remote code execution attacks.

Researchers with Barracuda Networks analyzed exploitation activity around Atlassian's Confluence and Microsoft's Azure Open Management Infrastructure (OMI), both of which contained remote code execution (RCE) vulnerabilities and were being targeted in the wild by criminal hackers in recent weeks.

Barracuda estimated that more than 500 IP addresses were launching automated exploits against the two service vulnerabilities. Successful exploitation enables remote control of a vulnerable system.

The Azure vulnerability, commonly known as OMIGOD, is a result of a failure to properly handle OMI requests. By not properly checking authorization header data, an attacker can sneak commands into an HTTPS request and get total control over a vulnerable machine. The flaw, designated as CVE-2021-38647, was disclosed Sept. 15 with three other related vulnerabilities.

"Attackers are targeting these systems by sending a specially crafted HTTPS message to one of the ports listening for OMI traffic (Ports 1270/5985/5986), which gives the attacker initial access to the machine," wrote Marcus Gower, an inside systems engineer at Barracuda, in a blog post Wednesday.

"Commands sent by the attacker will be executed by the SCXcore service, allowing the attacker to leverage the vulnerabilities."

Barracuda found that threat activity rose sharply in mid-September following Microsoft's disclosure. "After the initial spike on September 18, the number of attempted attacks dropped off, but this continued to spike and then balance out over time," Gower said.

The Atlassian vulnerability, CVE-2021-26084, was disclosed Aug. 25; the flaw is the result of an OGNL injection vulnerability and enables threat actors to submit instructions via a specially crafted POST request. Commands are run as root and Java code can be inserted into the attack commands.

To clear up the flaw, Atlassian has put out a patched version of Confluence Server and Data Center. Admins were advised to update to the latest version of both platforms, but the threat activity shows many organizations are still vulnerable.

"Analyzing data from late August through the end of September, Barracuda researchers found the attacks against the Confluence vulnerability started to spike, and the attacks have continued to stay elevated as many Confluence users still have a vulnerable version of the software," Gower said.

IP addresses in the U.S. were fingerprinted in the attacks, but that data does not always coincide with the attackers' physical location as compromised systems and data centers in the U.S. are often used as proxies for attackers. Russian IP addresses were also found to be connected to the exploits.

Gower noted that because these systems are remotely hosted and managed, getting fixes installed is not always easy.

"Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks," Gower said.