Criminal IP analysis report on zero-day vulnerability in Atlassian Confluence

According to Volexity, a webshell was discovered in Atlassian Confluence server during an incident response investigation. Volexity determined that it was a zero-day vulnerability that could execute remote code even after the latest patch was completed and reported the issue to Atlassian.

After receiving the issue report and identifying it as a zero-day, Atlassian issued a security advisory for the critical unauthenticated remote code execution.

Timeline (based on PDT)

• May 31: Volexity found zero-day vulnerability in Atlassian Confluence.
• Jun 2, 1 p.m.: Atlassian and Volexity issued a security advisory for CVE-2022-26134.
• June 3, 8 a.m.: Atlassian announced how to mitigate vulnerabilities without security patches.
• June 3, 8 p.m.: Atlassian released security updates to address vulnerabilities.

Webshell that was also used for MS Exchange Server attacks

According to Volexity, attackers could exploit CVE-2022-26134 to upload a webshell, particularly the China Chopper, a notorious security vulnerability issue that was also used during the last Microsoft Exchange Server crisis. If the hacker penetrates the server and uploads this webshell, attackers can access the server freely even if the zero-day security patch is up to date.

Webshell that was also used for MS Exchange Server attacks

Confluence servers still exposed to the Internet

Despite a zero-day attack that began during the Memorial Day, Atlassian seems to have released security patches at a rapid pace. However, the problem is that there are still many Confluence servers connected to the Internet without being patched. Like the case with the Microsoft Exchange Server issue, servers that were left unattended for months even after security patches were released are still connected to the Internet.

AI Spera used Criminal IP to determine the number of Atlassian Confluence servers connected to the Internet. In Element Analysis, using the tech_stack: “Atlassian Confluence” filter, you can view statistics on country-specific Confluence exposed.

The above Criminal IP’s search result shows that more than 5,600 Confluence servers have been installed in 70 countries on the internet. Through its another Asset Search feature, we found that these IPs were exposed to the internet defenseless with Confluence installed as follows.

Exposed Confluence server

What makes this even worse is that there are quite a few cases where these IPs are of actual companies or institutions.

Additionally, the HTML title of the corresponding Confluence server allows you to know the name of the company/organization running the server, making them a cyberattack target.

ASN of the exposed Confluence server

In fact, in the following case, Confluence of an American medical school is found on the internet, and even worse, all the information is all open without login authentication.

The exposed Confluence of the U.S. Medical School

VPN, a key cyber attack method

According to the IOC released by Volexity, 15 IPs interacting with webshells on Confluence server were found after the first case of Confluence attack. After analyzing these with Criminal IP, the following five are identified as using VPN services. These days, attackers carrying out zero-day or APT attacks tend to use VPN rather than IPs with a high malicious index. This leads to a new security trend in which companies must detect VPNs for inbound IP, as more attackers are expected to use VPNs to leave no trace when they pass through pre-penetrated servers.

Below are the IPs tagged as VPN on Criminal IP. One Tor IP is also detected.

156.146.56.136 VPN
198.147.22.148 VPN
59.163.248.170 VPN
64.64.228.239 VPN
66.115.182.102 VPN
66.115.182.111 VPN
156.146.34.9 Tor

One of the 15 Confluence zero-day exploit cases released by Volexity is detected as a VPN on Criminal IP.

How to Check for Vulnerabilities

If you have access to Confluence through a browser on your PC, you can run the following command with a curl or python script to determine vulnerabilities of your Confluence server. Even if you are not an information security officer, there is a way to check vulnerabilities of your company’s Confluence. Try the following and request your security department for patches:

https://your_confluence_address/${(#result=
@org.apache.commons.io.IOUtils@toString(@java.lang.
Runtime@getRuntime().exec(“id”).getInputStream(),”
utf-8″)).(@com.opensymphony.webwork.ServletAction
Context@getResponse().setHeader(“X-Cmd-Response”,
#result))}/

If you change the part of your_confluence_address, you can check it with curl as follows. If the uid, gid, and group of the Confluence server are displayed in the X-Cmd-Response header value, this server is considered to have CVE-2022-26134 vulnerability.

curl -v -k –head https://your_confluence_address/
%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%
40toString%28%40java.lang.Runtime%40getRuntime%28%
29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf
-8%22%29%29.%28%40com.opensymphony.webwork.Servlet
ActionContext%40getResponse%28%29.setHeader%28%22X-
Cmd-Response%22%2C%23a%29%29%7D/ | grep X-Cmd-Response

Conclusion

On June 3rd, 2022, Atlassian released a patch for CVE-2022-26134. However, some organizations may feel burdened by shutting down servers for security updates as Confluence is a wiki system used by many people to share important information. In this case, Atlassian is also suggesting a manual solution for security issues only, so please use that method to act in accordance with Atlassian’s recommendations.

With the zero-day attack, suppliers have been actively working on appropriate security updates. However, unlike most cases, the vulnerabilities in web-based systems are easy to attack from outside as soon as zero-day occurs without complicated conditions. In addition, if the webshell backdoor is already uploaded, additional security checks must be carried out because a path has already been created for hackers to freely access the system even after performing the patch.

When such a vulnerability in remote code execution using zero-day appears, a pattern that leads to building webshell backdoor continues. Webshell attacks such as Microsoft Exchange and Confluence incidents are expected to continue in the future.

For reference, Confluence suffered from the zero-day attack last year. Confluence is a well-known system in the world, but at the same time, it is a major target of cyber-attacks. This is because it is a server where important information from companies and institutions is gathered in one place, making hackers drool. Therefore, the first thing companies or organizations that use Confluence should do is immediately block external access to their Confluence server. In addition, periodic monitoring and inspection of the attack surface should be performed to prevent such critical information management systems from being externally exposed.