Hello and welcome to the Thursday, December 21st, 2003 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today I wrote quickly about an increase that we're seeing in exploit attempts for Lation Confluence Server CVE 2020-1218.

The vulnerability being exploited here, or at least attempted to be exploited, here is an authentication bypass for the setup restore feature.

This vulnerability would allow an attacker to basically upload a configuration to your Confluence server and with that, of course, gain full access, including arbitrary code execution

on the Confluence server.

Now, this is not a new vulnerability.

Was revealed very early first few days of November.

And we have seen some attacks against this vulnerability.

Actually, we saw a pretty high number.

Again, very specific sensors early on.

But these early attacks, they were more targeting sort of known confluence servers.

What we see now is a lower overall level of attacks, but against more targets,

indicating that they're probably just basically hitting random web servers, hoping that they are actually confluence servers that got missed in these initial scans.

Given the severity of the vulnerability, this is certainly something that you should take serious.

Now, a lot of organizations that use these Adelation tools don't necessarily

run them on-premise. They may actually use some cloud-based solutions by Adelation, so then

they'll take care of patching for you. But certainly something to take a quick look at the IP

address doing the scanning is sort of your

random digital ocean IP address. I believe it is located in England. What's sort of a little bit

concerning about this particular IP address is it does appear to be running Adelaide's software

itself. So it's likely a compromised system. It appears to be running adhesion software itself. So it's likely a compromised system. It appears to

...