A critical zero-day vulnerability (CVE-2022-26134) in #atlassian #Confluence Data Center and Server is under active exploitation, install web shells,
🤔 What do you need to know: The vulnerability has been detected in the wild by Volexity, which means attackers are actively exploiting it
☹️ All supported versions of #Confluence Server and Data Center are affected (these are on-premise)
US government's CISA urges administrators "to block all internet traffic to and from those devices until an update is available and successfully applied."
Atlassian-hosted instances of Confluence are not affected.
🙌 What You Need to Do : Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.
Note: If you run Confluence in a cluster, you will not be able to upgrade to the fixed versions without downtime, also known as a rolling upgrade. Follow the steps in Upgrading Confluence Data Center.
Technical Details: 🤔
In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.
“BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out,” threat researchers Andrew Case, Sean Koessel, Steven Adair, and Thomas Lancaster explained.
Hunt Query:🤓
Sourcetype == WAF && URL Contains '${' OR URI Contains '${'
Linux Hunt:
<install directory>/logs/*.log
grep "\${" log file path
Special Thanks: faisalusuf
Windows Hunt:
findstr -i noop.jsp "C:\Program Files\Atlassian\Confluence\logs*"
findtr -i “${“ <install directory>/logs/*.log
🧐 Indicator Of Compromise:
154[.]146[.]34[.]145
154[.]16[.]105[.]147
156[.]146[.]34[.]46
156[.]146[.]34[.]52
156[.]146[.]34[.]9
156[.]146[.]56[.]136
198[.]147[.]22[.]148
198[.]147[.]22[.]148
221[.]178[.]126[.]244
45[.]43[.]19[.]91
59[.]163[.]248[.]170
64[.]64[.]228[.]239
66[.]115[.]182[.]102
66[.]115[.]182[.]111
67[.]149[.]61[.]16
98[.]32[.]230[.]38
Volixity Founder steven adair added below advise regarding this vulnerability
It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.
Everyone's setup may be different but Confluence largely only has these JSP files:
./admin/findspaceattachments.jsp
./admin/cluster/hashclustername.jsp
./admin/default.jsp ./classpath.jsp
./errors/notfound.jsp
./500page.jsp
./errors.jsp
./noop.jsp
Look for files not listed.
Check for files on disk not listed and in access logs with 200 responses. Further, check if any of these files have been modified. In particular noop.jsp is popular and it's usually around 103 bytes.
Also Sean Koessel also noted in multiple cases to look for ".java" files in the ./confluence/org/apache/jsp/ directory that should not be there. You may find a webshell or backdoor here as well from a .jsp file that was deleted already.
Examining the catalina*.out files #Confluence creates is also a potential great source. It may log unrelated vuln scans but a number of case of webshell writes or command execution have been logged here. E.g. look for "RealCMD" or ".jsp" and evaluate what you see
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
#confluence
0 comments:
Post a Comment