Heat map of attacker IPs
Barracuda researchers identify AtlassianConfluence and Azure OMI attacks conducted through remote code execution vulnerabilities

550 unique attacker IPs were discovered to have attempted to exploit the Confluence vulnerability,

October 19, 2021: Researchers of Barracuda, leading provider of cloud-enabled security solutions have uncovered remote code execution vulnerabilities used to conduct attacks; The Atlassian Confluence OGNL injection attack and Azure Open Management Infrastructure (OMI) attack. The attacks conducted were attempts to exploit these vulnerabilities over a period of 45 days in August and September and found spikes in attacks coming from more than 500 unique attacker IPs.

Remote code execution (RCE) is the term to describe the execution of arbitrary code on a computer system, where the threat actor does not have direct access to the console but has complete control of the system. Atlassian first published the Atlassian Confluence OGNL injection vulnerability on August 25, 2021. This vulnerability allows threat actors to commit a “POST” request using the Confluence template engine without authorization. This grants the threat actor “root” access into the system.

After analyzing data from late August through the end of September, Barracuda researchers found the attacks against the Confluence vulnerability started to spike. They continued to elevate as many Confluence users still have a vulnerable version of the software.

Meanwhile, Azure released the vulnerability on September 15, 2021, which affected Azure Open Management Infrastructure (OMI), a software agent that is silently pre-installed and deployed within cloud environments. This silent installation has now put Azure customers at risk until they update their systems to the latest version of OMI. Attackers target these systems by sending a specially crafted HTTPS message to one of the ports listening for OMI traffic and getting initial access to the machine. Soon after, they can pass a command to the machine without an authorization header, which the OMI server will treat as trusted and give the attacker “root” access to the system.

After the initial spike on September 18, Barracuda researchers the number of attempted attacks dropped off, but this continued to spike and then balance out over time.  

During Barracuda’s analysis of attacks over the 45 days in August and September, 550 unique attacker IPs were discovered to have attempted to exploit the Atlassian Confluence vulnerability, and 542 unique attacker IPs were trying to exploit the Azure OMI vulnerability.

Says Tushar Richabadas, Senior Product Marketing Manager, Barracuda: “There were multiple attackers behind each IP, which means the number of attacks was significantly higher than the number of IPs. Most attacker IPs are based in the U.S. as well as countries such as Russia, United Kingdom, Poland, and India. Our researchers uncovered this information using client fingerprinting and other techniques. These attackers are attempting to exploit these vulnerabilities, and so organisations are required to be one step ahead to protect their web applications.”

Considering the growing number of web application vulnerabilities, all-in-one solutions are now available to protect them from being exploited. Organisations can deploy WAF/WAF-as-a-Service solutions, also known as Web Application and API Protection (WAAP) services, to protect web applications.

The need for a WAF-as-a-Service or WAAP solution has never been more relevant than now, with many workforces still supporting remote work and many applications moving online. Organizations need to ensure a solution that includes bot mitigation, DDoS protection, and API security.