Security Bulletin - Active Exploitation of Zero Day Present in Atlassian Confluence

Published Date: 07/06/2022

Purpose

The purpose of this alert is to bring attention a CRITICAL vulnerability present in Atlassian Confluence implementations, known as CVE-2022-26134. Exploitation of this vulnerability results in unauthenticated Remote Code Execution (RCE) and escalated privileges. Active exploitation of this vulnerability is occurring in the wild.

Details

On 2 June 2022, Atlassian issued a notification describing a critical vulnerability known as CVE-2022-26134 present in Atlassian Confluence Server and Data Centre. The notification indicates that this CVE is CRITICAL and that the vulnerability is under active exploitation. 

CVE-2022-26134 allows for unauthenticated Remote Code Execution (RCE) on Atlassian Confluence Server and Data Centre implementations, which can result in malicious code being executed without the requirement for authentication. 

This vulnerability grants Threat Actors the ability to install malicious software and webshells or perform other malicious actions. 

It is understood that the vulnerability is present in the following versions of Atlassian Confluence and Data Centre:

• All supported versions of Confluence Server and Data Centre are affected.
• Confluence Server and Data Centre versions after 1.3.0 are affected.

The Triskele Labs CTI team advises that Proof-of-Concept (POC) code to exploit this vulnerability is not yet publicly available however active exploitation has been observed in the wild by Volexity researchers at the following location:
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ 

Volexity discovered the zero day during an incident response and notes the use of post exploitation tools such as China Chopper and Behinder after successful exploitation. 

Triskele Labs CTI notes that the use of such tools indicates a possible Advanced Persistent Threat Actor of Chinese speaking origin.

Mitigation Actions

• Triskele Labs advises installing the patch to mitigate this vulnerability immediately. Fixed versions of Confluence and more information can be found at: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
• For further protection, Triskele Labs advises that Confluence servers should not be exposed to the internet where possible, and should not be running with root privileges.

Detection Capability

Managed Detection and Response are monitoring for suspicious activity. 

Deployed SIEM and EDR agents on servers and endpoints will aid in detecting a threat actor successfully accessing an environment and commencing reconnaissance.

References

References used for the generation of this release: 

• https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

• https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
• https://github.com/rebeyond/Behinder
• https://github.com/lukaszbb/apt-analysis/blob/master/reports_txt/2013/fireeye-china-chopper-report.txt