Cybersecurity researchers have found a stealthy backdoor named Effluence that is deployed following the profitable exploitation of a lately disclosed safety flaw in Atlassian Confluence Knowledge Heart and Server.
“The malware acts as a persistent backdoor and isn’t remediated by making use of patches to Confluence,” Aon’s Stroz Friedberg Incident Response Companies mentioned in an evaluation printed earlier this week.
“The backdoor supplies functionality for lateral motion to different community assets along with exfiltration of information from Confluence. Importantly, attackers can entry the backdoor remotely with out authenticating to Confluence.”
The assault chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS rating: 10.0), a essential bug in Atlassian that could possibly be abused to create unauthorized Confluence administrator accounts and entry Confluence servers.
Atlassian has since disclosed a second flaw often called CVE-2023-22518 (CVSS rating: 10.0) that an attacker also can reap the benefits of to arrange a rogue administrator account, leading to a whole lack of confidentiality, integrity, and availability.
What makes the newest assault stand out is that the adversary gained preliminary entry by way of CVE-2023-22515 and embedded a novel net shell that grants persistent distant entry to each net web page on the server, together with the unauthenticated login web page, with out the necessity for a legitimate consumer account.
The online shell, made up of a loader and payload, is passive, permitting requests to go via it unnoticed till a request matching a selected parameter is supplied, at which level it triggers its malicious conduct by executing a collection of actions.
This includes creating a brand new admin account, purging logs to cowl up the forensic path, operating arbitrary instructions on the underlying server, enumerating, studying, and deleting information, and compiling in depth details about the Atlassian setting.
The loader element, per Aon, acts as a standard Confluence plugin and is chargeable for decrypting and launching the payload.
“A number of of the net shell features depend upon Confluence-specific APIs,” safety researcher Zachary Reichert mentioned.
“Nonetheless, the plugin and the loader mechanism seem to rely solely on widespread Atlassian APIs and are doubtlessly relevant to JIRA, Bitbucket, or different Atlassian merchandise the place an attacker can set up the plugin.”