Executive Summary

The financial services sector is increasingly under siege from cyber threats, with attackers exploiting vulnerabilities to gain unauthorized access to sensitive data and financial assets. This report focuses on the critical vulnerability CVE-2021-26084, an OGNL injection flaw in Confluence Server and Data Center, which has been actively exploited in the wild. The report outlines the technical details of this vulnerability, its exploitation tactics, and the advanced persistent threat (APT) groups that frequently target the financial sector. It also provides mitigation strategies to help organizations safeguard their systems and data.

Technical Information

CVE-2021-26084 is a severe vulnerability found in Confluence Server and Data Center, which are widely used collaboration platforms in the financial services sector. This vulnerability arises from improper input validation in the Object-Graph Navigation Language (OGNL) expressions, allowing unauthenticated attackers to execute arbitrary code. The flaw is particularly dangerous because it can be exploited remotely without any authentication, making it an attractive target for cybercriminals.

The vulnerability was first disclosed in August 2021, and since then, it has been the subject of numerous security advisories and patches. Attackers exploit this vulnerability by injecting malicious OGNL expressions into the Confluence platform, leading to remote code execution. This can result in unauthorized access to sensitive data, data exfiltration, and potential lateral movement within the network. The exploitation of CVE-2021-26084 has been observed in various attack campaigns, with proof-of-concept (POC) exploits available on platforms like GitHub and Packet Storm Security.

The financial services sector is a prime target for cybercriminals due to the high-value data it handles and the potential for financial gain. Attackers often use sophisticated tactics to exploit vulnerabilities like CVE-2021-26084, leveraging them to gain a foothold in the network and carry out further attacks. The exploitation of this vulnerability highlights the need for robust security measures and continuous monitoring to protect against evolving cyber threats.

Exploitation in the Wild

CVE-2021-26084 has been actively exploited in the wild, with multiple reports of successful attacks targeting Confluence Server and Data Center instances. Attackers have been observed using this vulnerability to inject malicious OGNL expressions, leading to remote code execution and unauthorized access to sensitive data. The availability of POC exploits on platforms like GitHub and Packet Storm Security has further facilitated the exploitation of this vulnerability, making it a significant threat to the financial services sector.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2021-26084 have not been identified, the financial services sector is frequently targeted by APT groups such as APT29, APT41, Thallium, Lazarus, TA413, and TA428. These groups are known for their sophisticated tactics and focus on sectors with high-value data, including financial services. They often use supply chain attacks and other advanced techniques to exploit vulnerabilities and gain unauthorized access to sensitive data.

Affected Product Versions

CVE-2021-26084 affects multiple versions of Confluence Server and Data Center. Organizations using these platforms should review the specific versions affected and apply the necessary patches to mitigate the risk of exploitation. The vulnerability affects Confluence Server and Data Center versions prior to 6.13.23, 6.14.0 to 7.4.11, 7.5.0 to 7.11.6, and 7.12.0 to 7.12.5.

Workaround and Mitigation

To defend against CVE-2021-26084 and associated threats, financial institutions should implement several mitigation strategies. Regularly updating and patching systems is crucial to mitigate known vulnerabilities like CVE-2021-26084. Network segmentation can help isolate critical systems and limit the impact of a potential breach. Implementing multi-factor authentication (MFA) can enhance access controls and prevent unauthorized access. Additionally, developing and regularly testing incident response plans can ensure quick recovery from attacks and minimize the impact on operations.

References

For further information on CVE-2021-26084 and its exploitation, please refer to the following resources: UpGuard Blog: The 6 Biggest Cyber Threats for Financial Services in 2024 (https://www.upguard.com/blog/biggest-cyber-threats-for-financial-services), CISA Known Exploited Vulnerabilities Catalog, GitHub and Packet Storm Security for POC exploits (http://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html) (https://github.com/0xf4n9x/CVE-2021-26084).

Rescana is here for you

At Rescana, we understand the challenges faced by the financial services sector in defending against cyber threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify and mitigate vulnerabilities, ensuring robust security measures are in place to protect sensitive data and assets. We are committed to supporting our customers in navigating the complex cybersecurity landscape. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com.