On June 2, 2022, Volexity performed a coordinated disclosure of a zero-day vulnerability in Atlassian Confluence being exploited in the wild, CVE-2022-26134. Since the original disclosure and subsequent publication of various proofs of concept, Barracuda researchers have analyzed data from our installations worldwide and discovered a large number of attempts to exploit this vulnerability. The exploit attempts range from benign reconnaissance to some relatively complex attempts to infect systems with DDoS botnet malware and cryptominers. 

Barracuda researchers have seen a steady flow of attacks over time, with some spikes, notably one on June 13. The expectation is that we will continue to see a significant amount of such attempts to continue for the time being. 

 

Highlighted Threat 

Atlassian Confluence zero day — Atlassian Confluence is a tool that provides collaborative documentation. On June 2, information about what is now known as CVE-2022-26134 was publicly released. Over the next weekend, the vulnerability had been used by various threat actors in assaults, and in no-time malicious actors became aware of it. 

The vulnerability allows unauthenticated, remote attackers to create new administrative accounts, execute privileged commands, and in turn seize control of the servers. 

Exploitation attempts primarily originated from IP addresses in Russia, followed by the U.S., India, Netherlands, and Germany. As seen in previous research, the attacks seen originating from U.S. IP addresses are primarily from cloud providers. Similarly, for Germany, most attacks were from hosting providers. 

 

 

Payload examples

Let’s warm up by looking at some of the more “benign” payloads that we saw.

Example 1:

Decodes to:

This was a common attempt, which is a proof-of-concept (PoC) script taken directly from GitHub, basically attempting to run a “whoami” command on the server to see if it is actually vulnerable to the Confluence vulnerability.

Example 2:

Decodes to:

This one is running netstat – an to collect system information, possibly for reconnaissance or just to test if the host is vulnerable, similar to the cases of “whoami” and grabbing /etc/passwd.

Example 3:

Decodes to:

This is another common example, where the attacker is attempting to dump the /etc/passwd file in case it is a Linux/Unix system running Confluence. For the most part, this is a reconnaissance attempt.

Moving on to the web shells, the below is an example of an attempt to drop a web shell that was seen in our samples.

Eventually the large base64 string decodes to this web shell:

 

This web shell is almost an exact copy of a sample web shell from “The Art of Network Penetration Testing” by Royce Davis.

The next example is one of the more immediately destructive attempts to perform malicious actions.

Decodes to:

As seen here, the attacker was attempting to delete everything on the Confluence installation, including the root directory — essentially wiping out the Confluence server and causing serious chaos to the application owners.

Payloads dropping Mirai malware

We also saw a number of attempts to infect Confluence servers with malware. Threat actors are always looking for new vulnerabilities to exploit in their attempts to grow their botnets. Let’s look at a few examples of this.

Example 1:

Decodes to:

This script ares.sh shows up in various forms on the abuse.ch URLhaus database. Most of the entries are for some variant of the Mirai botnet, with some shell scripts also being hosted on the same server.

Looking at VirusTotal shows that a number of security vendors have classified this as malware, and the site is known for hosting other Mirai downloads as well.

 

Example 2:

This is another straightforward example of an attempted insertion of the Mirai DDoS malware:

Decodes to:

 

 

How to protect against these types of attacks

As noted earlier, the interest level in this vulnerability remains steady with occasional spikes, and our researchers expect to see scanning and attempts to exploit them for some time. Because interest from cybercriminals is so high, it’s important to take steps to protect your systems.

• Patching — The ideal time to patch is now, especially if the system is internet-facing in any way.
• Web application firewall —Placing a web application firewall in front of such systems will add to defense in depth against zero-day attacks and other vulnerabilities.

In part 2 of this report, we’ll take a closer look at the cryptominers that we have been seeing and dive a bit deeper into some interesting competitive behavior from one of them.