Rapid7: Access to 50 Vulnerable Networks Available on Dark Web
The Rapid7 Threat Intelligence team has uncovered an access broker selling root access to 50 vulnerable networks on the dark web. All are allegedly within the United States.
The same access broker claims to have a list of 10,000 additional vulnerable, but unexploited machines that they’re also willing to sell separately from the 50 compromised networks. Rapid7’s telemetry suggests that the 10,000 number is high, but the seller has a good reputation on the forum and so Rapid7 is inclined to believe their claims.
Erick Galinkin is principal artificial intelligence (AI) researcher at Rapid7.
“Though we’ve seen a great uptick in patching through our telemetry, attackers are still exploiting vulnerable internet-facing servers,” he said.
The type and level of potential damage depends on how connected the impacted server is to the rest of the network, Galinkin said.
“These 50 affected Confluence instances are all, according to this threat actor, running as root,” he said. “That means that the attacker is likely able to use techniques like kerberoasting to try and get additional credentials off the network and move laterally if the server is well-connected.”
Anyone running a Confluence server may be vulnerable, Galinkin said.
“A patch was made available very quickly and detections for vulnerable versions have been public for some time,” he said. “But a large number of these servers are still vulnerable and internet-facing.”
Any organization should immediately:
- Patch any unpatched Confluence servers on their network.
- Place their Confluence server behind a VPN or some other control.
- If their server is unpatched, they should also begin looking for signs of compromise on the vulnerable endpoints.
“We have already seen active exploitation of this vulnerability in the wild, as it is an easy vulnerability to exploit and the attack surface is large,” Galinkin said. “I would anticipate that exploitation of this vulnerability will be ongoing for some time, as our telemetry shows it is one of the most popularly targeted vulnerabilities on the internet at the moment.”
