Juniper Threat Labs is seeing an on-going attack targeting Confluence servers. On August 25, Atlassian, the company behind Confluence, disclosed the vulnerability CVE-2021-26084. A few days after that, several proofs-of-concept to exploit this vulnerability surfaced online, which included an unauthenticated remote code execution (RCE). Along with that, we started seeing an active exploitation of this vulnerability in our telemetry which started on September 02.
Most of the attacks are on port 8090, which is the default port for Confluence.
A dominant attack we have seen is an attack by the Muhstik botnet.
The attack will download a file shell script, conf2 from 188.8.131.52 and will execute it with bash. The script will download the additional binaries dk86 and dk32 from 184.108.40.206 and
Read the article