Barracuda Networks Sees Rise in RCE Attacks

Barracuda Networks published a report today which revealed that, over a 45-day period in August and September, there was a spike in attacks coming from more than 500 unique attacker IP addresses that tried to exploit remote code execution (RCE) vulnerabilities found in the Confluence Wiki service from Atlassian and the Microsoft Azure cloud.

That attacks were aimed at the Object-Graph Navigation Language (OGNL) injection vulnerability found in the Atlassian Confluence platform and a vulnerability affecting the implementation of a common information model based on the open source Open Management Infrastructure (OMI) specification.

Marcus Gower, an inside engineer for application security at Barracuda Networks, said in both cases cybercriminals with access to an endpoint were attempting to execute commands over an HTTP request without the need for an authorization header. Normally, the response to this request would be a 401 “Unauthorized” page. However, if that user can execute commands with root privileges, the vulnerability can be easily exploited, noted Gower.

Atlassian revealed the existence of the Confluence OGNL injection vulnerability last August. This vulnerability allows cybercriminals to commit a “POST” request using the Confluence template engine without an authorization header. This grants the threat actor root access into the system. Using the parameters “queryString” and “linkCreation”, the attackers can inject Java code.

Microsoft, meanwhile, revealed the Azure vulnerability last September. Azure customers are at risk until they update their systems to the latest version of OMI. Commands sent by the attacker will be executed by the SCXcore service, which means they can pass to machines without an authorization header that the OMI server will treat as a trusted command, giving cybercriminals root access to the platform.

Barracuda researchers saw a sharp increase in the number of attackers trying to exploit this vulnerability this fall. After the initial spike on September 18, the number of attempted attacks dropped off, but this activity continued to spike and has since balanced out over time, the Barracuda researchers found.

Gower said the attacks could have been thwarted by the presence of a web application firewall (WAF). However, many IT teams still assume they only need to deploy a network firewall to secure their IT environments.

The number of IT organizations that have deployed any type of WAF remains relatively small. That may change as more organizations embrace DevSecOps best practices that shift more responsibility for application security toward developers that are likely to have a greater appreciation for the need for a WAF. Right now, however, too many developers still assume, for example, that cloud service providers ensure the security of applications on their behalf.

In the weeks and months ahead, most organizations, one way or another, will be revisiting application security in the wake of a series of high-profile breaches of software supply chains. The issue, as always, will be trying to strike a balance between the need for increased security and the cost of acquiring the right mix of tools and platforms.