The exploit of a critical vulnerability in Confluence Server and Data Center allowed malicious actors to gain full remote access on unpatched servers.
The critical vulnerability (CVE-2022-26134) in Atlassian products was first announced by researchers at cybersecurity firm Volexity. Atlassian is an Australian software giant providing products for developers and managers.
The company has released an advisory on mitigation of the vulnerability. At the same time, Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog, requiring US federal institutions to block internet traffic to Confluence servers on their networks.
“We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence,” reads Atlassian’s advisory.
Researchers at Volexity noted something fishy after detecting JSP webshells being written on disk on two internet-facing web servers of their clients.
“After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution,” researchers wrote.
The vulnerability allowed attackers to gain unauthenticated remote code execution (RCE) on the servers. RCEs are particularly dangerous as they allow threat actors to gain full control of a vulnerable system without credentials.
According to the researchers, once in the Confluence Server system, attackers would deploy an in-memory copy of the BEHINDER implant that allows performing RCE attacks without additionally writing files to disk.
With the BEHINDER in place, attackers used it to deploy the CHINA CHOPPER web shell and simple file upload tool as backups to maintain access to the hacked server.
After analyzing attacker network traffic and legitimate IP addresses, researchers were led to believe that multiple threat actors from China were actively exploiting the vulnerability.
“By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks. Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities,” researchers wrote.
More from Cybernews:
Subscribe to our newsletter