Attackers are targeting a newly discovered zero day vulnerability in the Atlassian Confluence Server and Data Center that allows remote code execution without authentication. Atlassian is aware of the flaw but does not have a patch available and is encouraging customers running affected versions to remove the Confluence instances from the Internet.
Researchers at Volexity discovered the vulnerability over the weekend while investigating an intrusion at one of its customers and found that the attacker had used the bug to write a webshell to disk on two separate compromised servers. The researchers informed Atlassian of their findings and the company issued an advisory on Thursday. The known-exploited version is Confluence Server 7.18.0, but all other supported versions are vulnerable as well. Atlassian did not say when a patched version of Confluence would be available, but urged affected customers to either restrict Confluence and Data Center instances from Internet access or disable them altogether.
Exploiting the vulnerability (CVE-2022-26134) requires no authentication and gives the attacker arbitrary code execution privileges on the target server.
“An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory. The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access,” the Volexity advisory says.
“In parallel, Volexity also processed the acquired memory samples with Volexity Volcano Server. This led to identification of bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell.”
Confluence is a collaborative tool used widely in enterprises to build internal wikis and knowledge bases.
The Volexity researchers said they believe the attackers in the incident they analyzed exploited each of the two compromised servers just one time each and then installed a webshell on each server, which gave them persistent access. After the initial exploitation, the attackers then installed a well-known implant called Behinder.
“This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out,” the Volexity advisory says.
After gaining initial access and installing the Behinder implant, the attackers performed some basic reconnaissance, dumped the user tables from the Confluence local database, and edited the web access logs in an attempt to cover their tracks. Oddly, the China Chopper webshell that the attackers used is the default, commodity webshell that many attack groups are known to use. Volexity did not attribute the intrusion it investigated to a specific threat actor, but said the attack is probably from China.
“Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China,” the advisory says.
The Cybersecurity and Infrastructure Security Agency issued an advisory late Thursday evening about the flaw, as well.
“CISA urges organizations with affected Atlassian’s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied,” the CISA alert says.
