A critical zero-day vulnerability (CVE-2022-26134) in Atlassian Confluence Data Center and Server is under active exploitation, install web shells, with no fix available at this time. Users of the popular enterprise collaboration solution are advised to either temporarily restrict access to Confluence Server and Data Center instances from the internet, or to disable them completely.
Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its ‘Known Exploited Vulnerabilities Catalog‘ and is requiring federal agencies to block all internet traffic to Confluence servers by today, June 3rd.
About CVE-2022-26134
The flaw was reported by Volexity on May 31 by cybersecurity firm Volexity explained that the vulnerability can be exploited by unauthenticated attackers to achieve remote code execution. During an incident response investigation, they found two internet-facing web servers running Atlassian Confluence Server software compromised via a JSP variant of the China Chopper web shell.
In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.
“BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out,” threat researchers Andrew Case, Sean Koessel, Steven Adair, and Thomas Lancaster explained.
Volexity has released a list of IP addresses behind the attacks and Yara rules to identify web shell activity on Confluence servers.
Also Read: New Microsoft Office Zero-day “Follina” – Detection & Response
Mitigation and Detection
“Atlassian is working with the highest priority to issue a fix,” the company said in its security advisory. “We expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).”
They also noted that Confluence sites hosted by Atlassian are not vulnerable and there is currently no evidence of exploitation of Atlassian Cloud. When the fix is ready, users are advised to implement it as soon as possible.
Atlassian says at this point “If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk,”
Hunt Query:
Sourcetype == WAF && URL Contains '${' OR URI Contains '${'
Linux Hunt:
<install directory>/logs/*.log
grep "\${" log file path
Special Thanks: faisalusuf
Windows Hunt:
findstr -i noop.jsp "C:\Program Files\Atlassian\Confluence\logs*"
findtr -i “${“ <install directory>/logs/*.log
Indicator Of Compromise:
154[.]146[.]34[.]145
154[.]16[.]105[.]147
156[.]146[.]34[.]46
156[.]146[.]34[.]52
156[.]146[.]34[.]9
156[.]146[.]56[.]136
198[.]147[.]22[.]148
198[.]147[.]22[.]148
221[.]178[.]126[.]244
45[.]43[.]19[.]91
59[.]163[.]248[.]170
64[.]64[.]228[.]239
66[.]115[.]182[.]102
66[.]115[.]182[.]111
67[.]149[.]61[.]16
98[.]32[.]230[.]38