As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

Through the Wire is a proof of concept exploit for CVE-2022-26134, an OGNL injection vulnerability affecting Atlassian Confluence Server and Data Center versions 7.13.6 LTS and below and versions 7.18.0 "Latest" and below. This was originally a zero-day exploited in-the-wild.

Through The Wire CVE-2022-26134 Confluence Proof Of Concept

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.

Researchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a blog post published last week.

The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that’s been spreading rapidly, and subsequently reported the flaw to Atlassian. As observed by Volexity researchers, what’s being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) webshell to be written into a publicly accessible web directory on Confluence software.

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

Atlassian released a security advisory the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue a warning of its own about the flaw.

A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it’s also strongly recommending that customers update as soon as they can. If that’s not possible, the company provided in the advisory what it stressed is a “temporary” workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.

**Threat Escalation**

In the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.

“CVE-2022-26134 is about as bad as it gets,” observed Naveen Sunkavalley, chief architect of security firm Horizon3.ai, in an email to Threatpost.  Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.

Moreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host  against a number of Confluence versions—including the latest unpatched version, 7.18.0, according to tests that Horion3.ai has conducted, Sunkavaley said.

Indeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm GreyNoise tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris tweeted again that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.

****Potential for a SolarWinds 2.0?****

Sunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.

“Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,” Sunkavalley said.

What’s more, the vulnerability is a source-code issue, and attacks at this level “are some of the most effective and long reaching attacks on the IT ecosystem,” observed Garret Grajek,  CEO of security firm YouAttest.

The now-infamous Solarwinds supply-chain attack that started in December 2020 and extended well into 2021 was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.

“By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,” Grajek said.

For this reason, it’s “imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,” he asserted.

Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw

We take a look at the upcoming Microsoft Autopatch feature to help make updates a breeze for network admins.
The post Microsoft Autopatch is here…but can you use it? appeared first on Malwarebytes Labs.

Updating endpoints on a network can be a daunting task. Testing before rollout can take time. Delays to patches going live can cause all manner of headaches. Windows Autopatch aims to tackle some of these issues, and is now live for public preview. The release comes with a few caveats which you’ll want to keep in mind.

**Fixing a patchy experience**

First announced in April and slated for general release come July, Windows Autopatch is designed to free stressed sysadmins from some of the heavy lifting around updates. Billed as a managed service available to (some) users of Microsoft products, the software giant had this to say about it:

> The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end. Business needs change in response to market shifts.
> 
> This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. For organizations who select this option, the second Tuesday of every month will be ‘just another Tuesday’.

This automated patching setup is complemented by four so-called “testing rings”. This is a way to divide up all of an organisation’s devices in a manner which allows for efficient testing and updating. The smallest ring is the initial “test ring”, which has an unspecified minimum number of devices. It’s followed by the “first”, “fast”, and “broad” rings which comprise 1%, 9% and 90% of devices under management respectively.

Assuming all is well after a validation period in one of the rings, the updates filter out to the next ring for more testing. All the while, performance is monitored to ensure everything works at least as well as it did pre-update.

The result, according to Microsoft, is a “rollout cadence that balances speed and efficiency, optimising product uptime”.

**But not without caveats**

It would be unrealistic to think all networks and devices can simply switch on this new service. Indeed, there’s quite a list of requirements before you can get anywhere near this process. There’s no hardware requirements, though you can’t use it in conjunction with a “bring your own device” (BYOB) policy.

From Microsoft’s blog:

**Intune only**:

*   Azure Active Directory (Azure AD)
*   Microsoft Intune
*   Windows 10/11 supported versions

**Co-management**:

*   Hybrid Azure AD-Joined or Azure AD-joined only
*   Microsoft Intune
*   Configuration Manager, version 2010 or later
*   Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (min Pilot Intune)
*   Co-management workloads

**What are the licensing requirements for Windows Autopatch?**

*   Windows 10/11 Enterprise E3 and up
*   Azure AD Premium (for co-management)
*   Microsoft Intune (includes Configuration Manager, version 2010 or greater via co-management)

**Not a magic fix for everything**

Patching is incredibly important to the well-being of your network and devices. However, as useful as Autopatch will no doubt be, it can’t fix everything. Sometimes vulnerabilities occur like the Follina zero-day, and there’s no patch forthcoming. When this happens, you need workarounds and mitigations, and defence in depth.

Security tools and smart security practises by device users are two of the additional ways to keep compromise at bay until updates are released. If you’ve been waiting on Microsoft Autopatch since it was first announced, stay tuned to upcoming Microsoft announcements. Just keep those caveats, and your security setup, in mind should you go and make the leap.

Microsoft Autopatch is here…but can you use it?

User data related to at least 500,000 Android accounts at risk

User data related to at least 500,000 Android accounts at risk

A chained, zero-day exploit could potentially expose all user data in the backend of the companion mobile application for a popular smart weight scale, security researchers have claimed.

Bogdan Tiron, managing partner at UK infosec firm Fortbridge, discovered five vulnerabilities in the Yunmai Smart Scale app, three of which he said could be combined to take over accounts and access user details such as name, gender, age, height, family relationship, and profile photo.

As of May 12, China-based IoT product vendor Zhuhai Yunmai Technology had apparently implemented a fix for only one of the flaws – and even then, Tiron said he managed to bypass the patch.

The flaws were discovered during a penetration test of the Yunmai Android and iOS apps.

**Tipping the scales**

The Yunmai Smart Scale and app allows users to record and track their weight, body-mass index (BMI), body fat percentage, visceral fat, and various other health indicators.

The Android application alone has been downloaded more than 500,000 times.

The chained exploit first involves abusing a enumeration flaw by brute-forcing s into leaking parent uid (‘’) account values. values are then used to add child (‘family member’) accounts to registered parent accounts, made possible by the API’s failure to perform authorization checks.

Catch up on the latest IoT security news

Finally, when the family account is created the corresponding ‘’ and ‘’ are leaked and could be leveraged by attackers “to impersonate the ‘family member’ accounts, switch between the accounts of the family members, and query all their data”, according to a blog post penned by Tiron.

A fourth flaw, meanwhile, means attackers could take over any user account because the Android ‘password reset’ function fails to properly invalidate previously generated ‘forgot password’ tokens when a user requests a new ‘forgot password’ token (the function did not work at all on the iOS app).

“As a result, an attacker can request multiple tokens to be sent to the victim’s email, in order to increase his chances of guessing that code and changing the victim’s password,” said Tiron.

The fifth and final flaw saw the researcher bypass a limit of 16 family members per primary account, as the limit is enforced client-side but not server-side.

**Partial patch**

Tiron disclosed the flaws during September and October 2021. Yunmai’s support team responded to the initial disclosure, but the development team still has not replied, with Fortbridge last emailing them directly on May 18.

Tiron published his findings on May 30.

“To the best of my knowledge none of the findings have been fixed,” the researcher told The Daily Swig. “Last time I have checked on 12th of May, all findings were still unpatched.”

The researcher said he successfully circumvented the sole observed fix, for the ‘forgot password’ issue.

“Unfortunately, Yunmai users are exposed to these issues and there’s nothing they can do to protect themselves at the application level, because these are all issues with the backend API and only Yunmai developers can fix them,” Tiron continued.

“IoT devices have gained a bad reputation in terms of security in the last couple of years and it’s sad to see that things have not improved. We would have expected that Yunmai did at least a pen test before releasing this product or at least that they would have been more responsive when we reached out to them.”

We have invited Zhuhai Yunmai Technology to comment on these findings and will update the article if and when they reply.

As previously reported by The Daily Swig, Fortbridge research has last year included the discovery of serious remote code execution (RCE) vulnerabilities in popular open source content management systems (CMS’) Concrete and Joomla, as well as in web hosting platform cPanel & WHM.

YOU MIGHT ALSO LIKE Horde Webmail contains zero-day RCE bug with no patch on the horizon

Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

China suspected in assaults against enterprises running collaboration platform

John Leyden 06 June 2022 at 12:53 UTC

China suspected in assaults against enterprises running collaboration platform

Confluence Server and Data Center users are being urged to update their systems in response to a remote code execution (RCE) vulnerability that’s the target of active attacks in the wild.

The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.

Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.

**CISA warning**

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or else remove affected instances by the close of business on Monday, June 6.

Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.

Catch up with the latest cyber-attack news and analysis

Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behinder’, in an attempt to evade detection.

“Once Behinder was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.

The tools and technique behind the attack have allow Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.

Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.

No word back, as yet, but we’ll update this story as and when more information comes to hand.

DON’T MISS Researcher goes public with WordPress CSP bypass hack

Incoming! Atlassian Confluence attacks prompt calls for rapid patching

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.
Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021.
Both relate to a case of

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.

Tracked as **CVE-2022-26134**, the issue is similar to **CVE-2021-26084** — another security flaw the Australian software company patched in August 2021.

Both relate to a case of Object-Graph Navigation Language (OGNL) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.

The newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -

*   7.4.17
*   7.13.7
*   7.14.3
*   7.15.2
*   7.16.4
*   7.17.4
*   7.18.1

According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.

Evidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.

"The targeted industries/verticals are quite widespread," Steven Adair, founder and president of Volexity, said in a series of tweets. "This is a free-for-all where the exploitation seems coordinated."

"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this vulnerability.

**Vulnerability Details**

The vulnerability, CVE-2022-26134, is reportedly associated with command injection. An attacker could exploit this vulnerability to execute remote code and, per reports, is being actively exploited in the wild. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as webshells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.

The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations.

**Mitigations**

Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2022-26134:

**SIDs: 59925-59934**

Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched.
The post Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.

Researchers found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.

Atlassian has issued a security advisory and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-26134.

**Confluence**

Atlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.

Confluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.

**The vulnerability**

The description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.

During the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.

It became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.

After the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.

**The attack**

The researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.

A web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

This web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface  and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.

On further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.

Research showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.

After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike.

**Mitigation**

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:

*   Restricting access to Confluence Server and Data Center instances from the internet.
*   Disabling Confluence Server and Data Center instances.
*   If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.

_Note: **${** is the first part of a parameter substitution in a shell script_

**Affected versions**

All supported versions of Confluence Server and Data Center are affected. And according to Atlassian it’s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.

One important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.

We will keep you posted about the developments, so stay tuned.

Tag

#zero_day