Atlassian’s recent Confluence Critical Flaw exploits
Identified at the end of August, the vulnerability CVE-2021-26084 qualified as critical, had been corrected. That hasn’t stopped hackers from actively exploiting it.
Hackers began exploiting a critical remote code execution vulnerability in two Atlassian solutions: Confluence Server and Data Center. Problem: this one had been recently fixed. The first solution is a collaborative platform written in Java cut with the function of workspaces and project management that organizations can run locally on their own servers. On the other hand, Data Center is a more feature-rich version of Confluence supporting things like team calendars, analytics, more advanced permissions management, content delivery network support, and more. . The attacks carried out allow the deployment of cryptocurrency mining malware. Bad Packets Honeypots have detected mass analysis and exploitation activity targeting the Atlassian Confluence RCE CVE-2021-26084 vulnerability from hosts in Russia, Hong Kong, Brazil, Nepal, Poland, Romania, Estonia, the United States and Italy, ”the threat intelligence firm Bad Packets told our colleague CSO. “Several proofs of concept have been published publicly demonstrating how to exploit this vulnerability.”
According to Atlassian, CVE-2021-26084 is related to an OGNL (object-graph) injection issue that allows authenticated, and in some cases unauthenticated, users to execute arbitrary code on servers running versions affected products. The OGNL navigation language is an open source expression language for getting and setting the properties of Java objects. The vulnerability affects all Atlassian Confluence and Data Center versions prior to 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0 which were released on August 25 for the still supported branches of the software. However the publisher recommends upgrading to the latest version in the 7.13.x branch if possible, which has long term support. Manually executable patch scripts on Linux or Windows hosts have also been provided as a temporary workaround for users who cannot perform a full upgrade.
A web shell coupled with the backdoor
According to the publisher’s bulletin, the vulnerability was reported through its bug bounty program by a researcher named Benny Jacob (SnowyOwl). Since then, other researchers have analyzed the patch and written detailed bug reports, along with PoC exploits. Additionally, the vendor claims that the issue can be exploited by unauthenticated users in some cases. As with all malicious code injection vulnerabilities, attackers can include command lines (bash) executed on the operating system. Confluence code uses an isSafeExpression method to evaluate OGNL expressions for malicious hard-coded properties and methods. But as with most blacklist-based approaches, attackers and researchers can usually find a way around them, which was also the case here. Cryptocurrency miners employed in remote code execution vulnerabilities provide an easy way for attackers to directly monetize their access to underlying servers. However, such access can also be used to deploy more stealthy backdoors which can then be used for lateral movement within corporate networks if the affected web servers are not properly isolated from the rest of the network.
In 2019, security and incident response firm FireEye released a report on attacks by a China-based hacker group identified as APT41 who exploited a previous Atlassian Confluence (CVE- 2019-3396) to compromise a web server at a US-based research university. APT41 is a spy-and-extortion-focused cybergang that has a habit of arming newly disclosed vulnerabilities within days of their public disclosure. In this attack, this cybergang exploited the Confluence vulnerability to deploy a web shell and a backdoor program. Bad Packets told CSO that they have not observed attacks against Confluence specifically in the past, but have seen attacks exploiting vulnerabilities in other Atlassian products, including Crowd (RCE CVE-2019- 11580), Jira SSRF (CVE-2019-8451) and UID (CVE-2020-36289).