Cybersecurity researchers have found a stealthy backdoor named Effluence that is deployed following the profitable exploitation of a just lately disclosed security flaw in Atlassian Confluence Data Middle and Server.
“The malware acts as a persistent backdoor and isn’t remediated by making use of patches to Confluence,” Aon’s Stroz Friedberg Incident Response Companies stated in an evaluation revealed earlier this week.
“The backdoor gives functionality for lateral motion to different community assets along with exfiltration of knowledge from Confluence. Importantly, attackers can entry the backdoor remotely with out authenticating to Confluence.”
The assault chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS rating: 10.0), a important bug in Atlassian that may very well be abused to create unauthorized Confluence administrator accounts and entry Confluence servers.
Atlassian has since disclosed a second flaw generally known as CVE-2023-22518 (CVSS rating: 10.0) that an attacker can even benefit from to arrange a rogue administrator account, leading to an entire lack of confidentiality, integrity, and availability.
What makes the most recent assault stand out is that the adversary gained preliminary entry through CVE-2023-22515 and embedded a novel internet shell that grants persistent distant entry to each internet web page on the server, together with the unauthenticated login web page, with out the necessity for a legitimate consumer account.
The net shell, made up of a loader and payload, is passive, permitting requests to move by it unnoticed till a request matching a particular parameter is supplied, at which level it triggers its malicious conduct by executing a collection of actions.
This includes creating a brand new admin account, purging logs to cowl up the forensic path, working arbitrary instructions on the underlying server, enumerating, studying, and deleting information, and compiling intensive details about the Atlassian surroundings.
The loader part, per Aon, acts as a standard Confluence plugin and is chargeable for decrypting and launching the payload.
“A number of of the net shell capabilities depend upon Confluence-specific APIs,” security researcher Zachary Reichert stated.
“Nevertheless, the plugin and the loader mechanism seem to rely solely on frequent Atlassian APIs and are doubtlessly relevant to JIRA, Bitbucket, or different Atlassian merchandise the place an attacker can set up the plugin.”
