Actively exploited Atlassian zero-day bug allows full system takeover

A critical security vulnerability in Atlassian Confluence is under active attack, opening the servers to a full system takeover, security researchers have warned.

The bug (CVE-2022-26134) is a command injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation into two zero-day attacks by Volexity, it can be exploited without the need for user credentials or interaction, simply by sending a specially crafted web request to the Confluence system.

No Atlassian Cloud sites were impacted.

Confluence is a remote work and enterprise workspace suite used for project management and collaboration across teams. As such, it hosts sensitive data about projects, specific users, and potentially partners and customers; furthermore, it tends to be integrated with other company resources, servers and systems. A successful exploit would allow attackers to suck platform data and pivot to dig deeper into an organization’s network as a prelude to, say, a ransomware attack.

“By exploiting this type of vulnerability, attackers can directly access highly sensitive systems and networks,” Volexity researchers noted.

Researchers advised administrators to immediately remove external access to their Confluence servers until patches have been applied. Waiting, Atlassian confirms in its review which rushed a patch, with fixes rolling out around the ET close of business on June 3.

A spokesperson said dark reading that the company has “directly contacted all potentially vulnerable customers to inform them of the fix”.

Zero-Day Attacks Atlassian Confluence

During its investigation, Volexity followed the path of the attackers in two cases, which was the same in both cases. To begin with, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk. .

After that, the company observed that the threat actors had abandoned the Behind implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Counter and Cobalt Strike, two tools most often used for lateral movements. Meterpreter allows users to retrieve various Metasploit modules (i.e. functional exploits for known bugs), while Cobalt Strike is a penetration testing tool often used by bad guys to find and compromise new targets on the network.

Once Behinder was in place, Volexity found that opponents continued to install two additional webshells on disk: China chopper and a custom file upload shell. China Chopper is a tool that has been around for a decade that allows attackers to maintain access to an infected web server using a client-side application. The client contains all the logic necessary to control the target, which makes it very easy to use.

With this basic infection setup in place, the attackers ran several commands, including those for reconnaissance (checking the operating system, searching for password repositories); steal information and user tables from the local Confluence database; and editing web access logs to remove evidence of exploitation, Volexity said.

To read the full story, visit dark reading.

Comments are closed.