On June 2nd, Atlassian released Confluence security advisory regarding a zero-day remote code execution (RCE) vulnerability in all versions of the Confluence Server and Data Center that has been exploited. In this blog post, we will talk about some details of this vulnerability, as well as some remediation suggestions.
The critical Zero-Day Exploitation of Atlassian Confluence vulnerability has received the ID of CVE-2022-26134. Successful exploitation allows unauthenticated attackers to create new admin accounts, execute commands, and even take over the server.
As with any other RCE vulnerability, the potential damage to the victim’s infrastructure can be devastating and might lead to a complete domain takeover if done right. A threat actor can use this vulnerability to deploy backdoors, ransomware, and information stealers if successfully exploited.
Based on the information gathered from past vulnerabilities in Confluence, an attacker could exploit this flaw by sending a specially crafted request to a vulnerable Confluence Server or Data Center instance that is publicly open to the Internet. The exploitation of this vulnerability is fairly simple. A malicious party can use a specially crafted HTTP request including the code they wish to run in the vulnerable server located in the Uniform Resource Identifier (URI). They will place the malicious payload in the URI of an HTTP request.
Although most Proofs-of-Concept (POCs) for this exploit uses the GET method, it seems that any request method will do, even an invalid one.
The first case of a threat actor exploiting this vulnerability was discovered by Volexity and included the deployment of BEHINDER, a web server plugin that enables a threat actor to create web shells and supports interaction with Meterpreter and Cobalt Strike. Other deployments have been recorded by using this vulnerability such as the China Chopper and crypto miners.
Volexity’s initial analysis revealed that attackers were using the vulnerability to drop several malicious web shells on victims’ environments. Most attackers were using the open-source BEHINDER web server implant previously linked to Chinese threat actors by Avast. The researchers noted that China Chopper was installed but was rarely accessed, according to weblogs, leading them to the conclusion that it was installed simply as a means of secondary access.
Volexity also discovered the commonly executed commands made by the attackers once they had access. Among these were commands used to check the operating system version and to examine the contents of password files. Attackers then looked for user tables from the Confluence database and dumped them before attempting to deploy anti-analysis tactics by altering weblogs to remove evidence. They also wrote additional web shells to the victims’ disks, but according to Volexity, not all of these could be recovered.
Specific details regarding how the exploit takes place were not made public at the time, but on the afternoon of June 3, a proof-of-concept exploit for the Atlassian Confluence vulnerability was publicly posted. The exploit soon spread widely online over the weekend, with researchers sharing examples on Twitter of how trivial it was to exploit.
As of June 5th, GreyNoise reported that the number of unique IP addresses attempting to exploit this vulnerability has grown almost ten times, to 211 unique IP addresses. Currently, there are around over two dozen POCs provided exploiting this vulnerability, and it’s only increasing.
As expected, we have already seen threat actors in Telegram and Dark web communities sharing POCs and GitHub repositories providing tools for free to others that would like to exploit and weaponize their campaigns with this vulnerability.
This vulnerability is very similar to other vulnerabilities we have seen in the past. One of the most similar vulnerabilities which work based on the same mechanism is the popular Apache Struts2 CVE-2018-11776 which is based on the same mechanism of input expression in the URI that is being translated to code execution. Another vulnerability that is even more similar is CVE-2021-26084 which also compromises Atlassian systems. Based on the POCs released, exploitation of this vulnerability requires the threat actor to send an HTTP POST request that includes a specially crafted query string value that includes commands for injection and execution on the vulnerable host.
For mitigation and prevention, the first recommendations from Atlassian included very broad solutions. Atlassian released a patch to solve this issue on June 3rd. It must be noted that organizations that use Atlassian Cloud, which is accessible via atlassian.net, are unaffected by this vulnerability.
The gravity of this vulnerability is obvious by the mitigation offered pre-patch; suggested generic mitigation techniques include:
Restricting Confluence Server and Data Center instances from the internet.
Disabling Confluence Server and Data Center instances.
Applying YARA rules that will help prevent this type of attack, although it might also draw a high percentage of False Positives.
In a lack of a patch or the ability to update the current vulnerable systems, it is highly advised to address the front-facing security vendors (IPS/IDS) to see if a solution is possible.
One of the most common attack flows using this vulnerability is with the combination of Cobalt Strike and Meterpreter. Threat actors will look to use these tools as they are checking OS system versions and accessing the /etc/passwd and the /etc/shadow files for credentials – look for suspicious process trees that are resulting from this type of activity.
Atlassian has provided a patch for the following versions and is highly advising to update them as soon as possible:
As Confluence servers are attractive targets for initial access to a corporate network, devices should be updated immediately, mitigated, or taken offline. Otherwise, it will ultimately lead to more significant attacks, including ransomware deployment and data theft. Given that the technical details of this exploit are already known and publicized, if you haven't yet patched the security vulnerability in your Confluence or Data Center servers, you should immediately make the updates. If you are unable to patch your servers immediately, use the provided mitigation techniques for Confluence version 7.0.0 through 7.18.0.
Server hardening techniques can also be used as mitigation. It is recommended to verify that Confluence Server is being executed as a non-privileged user, and verify that the server operating system is fully patched and has been restarted to ensure it is running a kernel without known vulnerabilities. Similarly, deploying an EDR agent could be very beneficial in detecting or preventing exploits or subsequent privilege escalations.
Similarly, Tenable includes this critical vulnerability in their CVE list.
Aside from these reliable sources, multiple PoC exploit scripts have been published to GitHub for this vulnerability. Please use these scripts with caution. Attackers may use fake PoCs to try to infect researchers, organizations, and the curious.
In this blog post, we discussed the newly discovered Atlassian Confluence zero-day RCE vulnerability, which is a critical vulnerability in Atlassian Confluence Server and Data Center and has been recently exploited. We discussed the seriousness of the vulnerability and provided some mitigation techniques shared by Atlassian.
We hope you found this article useful. Please do not forget to patch your Confluence servers and keep your environments safe. Also, check out our Vulnerability Management services to stay secure!