On September 14, 2023, Microsoft announced on its blog that an Iranian cyber espionage group launched a Password Spraying Attack targeting thousands of organizations in the U.S. and around the world. 

The professional spy group, generally known as APT33 as well as Peach Sandstorm, HOLMIUM, or Refined Kitten, has been active since 2013. It has attacked diverse industrial organizations in the United States, Saudi Arabia, and Korea, as well as thousands of organizations around the world. 

The group’s signature exploit tactic utilized between February and July of 2023 was the Password Spraying Attack, which involves attempting to log in to different accounts using a single password or a list of conventionally used passwords. 

APT33 successfully stole sensitive information by hacking the accounts of organizations in the defense, satellite, and pharmaceutical sectors by using the Password Spraying Attack.  

Exposed Confluence: Another Victim of the Password Spraying Attack

In addition to Password Spraying Attacks, APT33 also allegedly attacked Confluence and compromised its network by targeting unpatched networks. 

Confluence is a collaborative platform developed by Atlassian, allowing users to track tasks and changes in real time within their team and organization. Confluence offers a variety of plugins and integrations that can be expanded based on the needs of its users. This allows users to customize Confluence to suit their work style, and readily integrate its service with other tools. However, these advantages also allow hackers to steal various information once they successfully penetrate the system, making Confluence a good target for hackers. Confluence’s Zero-Day Vulnerability in 2022 was such a big red flag for industries in the field of cybersecurity, that it sent shockwaves throughout the world. We now want to find out how many Confluence spaces are exposed to the outside.

Exposed Confluence IP addresses detected by Criminal IP: A Confluence login page is exposed on Port 443
Exposed Confluence IP addresses detected by Criminal IP: A Confluence login page is exposed on Port 443

More than 6,600 Confluence Spaces Exposed On The Internet

The following is a Criminal IP Asset Search result for searching Atlassian Confluence using a specific tech_stack filter. More than 6,600 devices were connected to exposed Atlassian Confluence servers. 

Not all of these exposed Confluence spaces are vulnerable to attacks. However, if they are also exposed to vulnerabilities such as authentication bypasses or RCE vulnerabilities, they will be at extreme risk. Confluence is a collection of confidential information of a company or institution, so even a single attack can cause immense damage. With new bugs and vulnerabilities being discovered on a daily basis, companies or institutions that use Confluence should opt to completely block external access to their Confluence servers. 

Search Query: tech_stack: “Atlassian Confluence”

Using the tech_stack filter on Criminal IP Asset Search to search for Atlassian Confluence devices
Using the tech_stack filter on Criminal IP Asset Search to search for Atlassian Confluence devices

Using Element Analysis on Criminal IP, you can use the same tech_stack: “Atlassian Confluence” query to view the statistics of countries using exposed Confluence servers.

74 countries were found to be using Confluence with exposed spaces. Among those, the United States had the highest number with 1,993, followed by Germany with 1,495 and China with 453.

Statistics of countries ssing exposed confluence spaces detected in Criminal IP
Statistics of countries using exposed Confluence spaces detected in Criminal IP

The main culprit of the hacking incident, APT 33, abused the conventionally used Confluence spaces as one of the routes to access internal networks. This reminds us once again of how important it is to keep software and systems up to date with the latest security patches, as well as check for vulnerable devices.

It is important to check the official Atlassian website or security news vendors for the latest information on such security issues. In addition, attacks can be prevented in advance by monitoring exposed and vulnerable devices and by monitoring device status on CTI search engines such as Criminal IP.

Check out our article on the 2022 Zero-Day Vulnerability in Atlassian Confluence. 

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. 
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.

Source: Criminal IP (https://www.criminalip.io/en)

Related Article(s):

Criminal IP Analysis Report on Zero-Day Vulnerability in Atlassian Confluence