*Sydney, June 2, 2022, 06:25 local time * - It’s nine degrees Celsius outside; in stark contrast to the increasing heat inside the headquarters of software provider Atlassian. Those in charge are just realizing: their software Confluence has a previously unknown vulnerability – in the jargon of security experts, a “zero-day exploit.” This refers to a security vulnerability that has only just been discovered on day zero of its lifetime. And it’s the job of cybersecurity agents to ensure that it does not live to see the end of the day.
Inform the public and develop countermeasures
Sydney, June 2, 2022, 06:30 local time - Atlassian’s security experts scramble into action. First, they take measures to temporarily close the breach. Simultaneously, they compile all available information in an email for Confluence users.
Cybercriminals have used the vulnerability to carry out a remote code execution (RCE) attack. It is used to execute arbitrary program code without permission. The attackers are now able to execute malware, take control of the computer, lose and steal data and cause days of downtime. The horror list of consequences is immense. An RCE attack is one of the most dangerous cyberattacks there is.
Sydney, June 2, 2022, 06:50 local time - Atlassian sends emails to all users and publishes the information on its website. The world now knows about the breach. As always, the information is quickly shared by security experts via blogs and discussion forums.
In this way, other cybercriminals also learn about the breach. Experience shows that malware developers immediately get to work trying to exploit the gap with a malicious program. But Atlassian developers are already working full speed on the new release of a software to close the gap. Speed is essential. Security specialists and cybercriminals are racing against time: Who’s faster? The patch or the first malware?
Risk Assessment and Quick First Aid
Berlin, June 3, 2022, 0:56 a.m. local time – kreuzwerker. An email from Atlassian arrives. Since Sydney is eight time zones ahead, it’s still night in Berlin. But at least one person is not sleeping. The on-call agent scans the information and immediately alarms all relevant administrators and developers via Slack.
Berlin, June 3, 2022, 08:00 local time - The admins and security specialists are already working. They analyze the information from Atlassian and the situation in their own infrastructure. The first insight: Fortunately, only Confluence is affected due to the architecture.
The application runs in a container infrastructure that does not allow any impact on other systems. This is because the individual containers are separated from each other and from all other applications. Therefore, malware cannot access other processes and cause even more damage.
Atlassian’s recommended workaround is quickly realized. This includes blocking requests that match certain URL patterns and restricting access to instances through so-called IP whitelisting. Now only certain network addresses can access the Confluence environment. Gradually, more info arrives. Atlassian recommends the replacement of some files and gives a release schedule of s patch that will close the gap.
The gap is closed: error correction is rolled out
Berlin, June 3, 2022, 11:00 local time - All defensive measures are in place. This breach affected a number of customers who were constantly kept up to date with the latest information. Preparations then began for a rollout of a new, corrected Confluence version.
Sydney, June 3, 2022, 12:30 local time - Atlassian developers have closed the breach and are distributing the update through the usual channels. It is now 19:30 in Berlin. The rollout starts immediately after the new application packages arrive. It runs automatically because the infrastructure is automated. So far, there are no security problems, and the containers are booting up without any problems.
Berlin, June 3, 2022, 22:00 local time - The admins detect an initial attempt to exploit the breach, but this fails due to countermeasures. This is a proof of concept (PoC). The attacker is just checking to see if the vulnerability still exists and doesn’t cause any damage. This procedure is typical for cybercriminals. They test through network addresses and ports until they find an uncorrected vulnerability.
Thanks to the countermeasures, the attack was unsuccessful. This shows that reliable vulnerability management, proven operational processes and efficient infrastructure automation are crucial for the secure operation of an IT infrastructure. They allow rapid responses and reliably protect customer systems.
Berlin, June 3, 2022, 23:00 local time - The rollout is complete. All Confluence instances are secure and are using the new version without vulnerability. No more unusual incidents; a lot of people sigh in relief.
Conclusion: vulnerability management is the name of the game
This vulnerability incident in Confluence shows just how important quick reactions in cybersecurity are. Criminals must not have a chance to exploit a newly identified vulnerability. Constant vigilance and the right processes are required to react at lightning speed and close the gap.
Cross your heart: is your company capable? Even at night or on weekends? Are you prepared? Your business operations are heavily dependent on the functioning of IT. That’s why vulnerability management belongs in the hands of experienced security experts - as part of a managed service that lets you sleep soundly in any time zone.