[ad_1]
Cybersecurity researchers have found a stealthy backdoor named Effluence that is deployed following the profitable exploitation of a not too long ago disclosed safety flaw in Atlassian Confluence Knowledge Heart and Server.
“The malware acts as a persistent backdoor and isn’t remediated by making use of patches to Confluence,” Aon’s Stroz Friedberg Incident Response Providers stated in an evaluation printed earlier this week.
“The backdoor supplies functionality for lateral motion to different community sources along with exfiltration of knowledge from Confluence. Importantly, attackers can entry the backdoor remotely with out authenticating to Confluence.”
The assault chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS rating: 10.0), a essential bug in Atlassian that may very well be abused to create unauthorized Confluence administrator accounts and entry Confluence servers.
Atlassian has since disclosed a second flaw referred to as CVE-2023-22518 (CVSS rating: 10.0) that an attacker may reap the benefits of to arrange a rogue administrator account, leading to an entire lack of confidentiality, integrity, and availability.
What makes the most recent assault stand out is that the adversary gained preliminary entry by way of CVE-2023-22515 and embedded a novel net shell that grants persistent distant entry to each net web page on the server, together with the unauthenticated login web page, with out the necessity for a legitimate person account.
The net shell, made up of a loader and payload, is passive, permitting requests to go by means of it unnoticed till a request matching a particular parameter is supplied, at which level it triggers its malicious habits by executing a sequence of actions.
This includes creating a brand new admin account, purging logs to cowl up the forensic path, operating arbitrary instructions on the underlying server, enumerating, studying, and deleting recordsdata, and compiling in depth details about the Atlassian atmosphere.
The loader part, per Aon, acts as a traditional Confluence plugin and is accountable for decrypting and launching the payload.
“A number of of the online shell features rely upon Confluence-specific APIs,” safety researcher Zachary Reichert stated.
“Nevertheless, the plugin and the loader mechanism seem to rely solely on frequent Atlassian APIs and are probably relevant to JIRA, Bitbucket, or different Atlassian merchandise the place an attacker can set up the plugin.”
[ad_2]