FortiGuard Labs Threat Research
Recent Attack Uses Vulnerability on Confluence Server
FortiGuard Labs Threat Research Report
Affected platforms: Atlassian’s Confluence
Impacted parties: Confluence Server or Data Center instance
Impact: An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code
Severity level: Critical
Introduction of CVE-2021-26084
In August 2021, Atlassian published a security dzܳ that could enable a threat actor to run arbitrary code on unpatched Confluence Server and Data Center instances. FortiGuard Labs analyzed the situation and published a with relevant information. After releasing the advisory, there occur massive scanning and proof-of-concept exploit code in public. We also collect a lot attacking traffic. In this blog we will analyze the payloads leveraging this vulnerability, deep dive into the attack and summarize the IOCs for these suspicious activities that may hint the network was affected by CVE-2021-26084.
Overview of CVE-2021-26084 Incidents
In September, we observed numerous threat actors targeting this vulnerability whose goal was to download a malicious payload that would install a backdoor or miner in a user’s network. These threats include Cryptojacking, Setag backdoor, Fileless attack that uses PowerShell in a system to execute shell without file dropped and Muhstik botnet; we will elaborate each of them in this analysis.
Although there are different attack vectors for this vulnerability, all of these attacks are targeting the parameter “queryString” which is shown in following packet capture:
Fileless attack leverage CVE-2021-26084
Cryptojacking
After exploiting CVE-2021-26084, it downloads init.sh from 86.105.195[.]120. The shell is a crypto miner that includes following tasks:
- Delete syslog
- Change commonly used command
- Stop aliyun services and apparmor
- Set the path for miner execution file (zzh) and itself but rename as newinit.sh
- Kill all other miner processes
- Use crontab to establish persistence
- Get scanning shell (is.sh)
- Clean the trace
Payload Exploits CVE-2021-26084
Inti.sh
In the scanning shell, it will try to download a scanning tool, like Masscan, Pnscan, etc, which can be used to scan and survey IPv4 TCP network in order to discover live host to proceed the spreading. The downloader path is shown as below. It also downloads a shell that defines specific steps for the scan. First, get the login brute force tool hxx (md5: f0551696774f66ad3485445d9e3f7214) and account/password list ps (md5: a43ad8a740081f0b5a89e219fe8475a3), then scan the subnet belong to private network (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8). This is to allow the malware to login into more devices in victim’s intranet and spread miner script (init.sh).
Downloader path in is.sh
Scannng steps in rs.sh
The entire workflow can be seen below.
Confluence server
Setag
The following exploit traffic was observed from IP address 86.105.195.154 (AS 3164 Astimp IT Solution SRL). Setag, also known as BillGates or Ganiw, belongs to a well-known malware family that targets server via 1 day vulnerability. It mainly uses UDP/SYN/ICMP/DNS floods to conduct DDoS attack. But it also has various command can check its own status or control their victims. The command for dos attack or controlling their victims can be seen in following rawdata:
Syna
Fileless Attack
The observed packet is from 141.98.83.139 (AS 209588 Flyservers S.A.) and the main payload is b64 encoded. The decoded data is as follow:
First layer decoded data
We can see that the payload is constructed and executed via PowerShell. The final execution will set “WindowStyle” to hidden and “CreateNoWindow” to True, which is to put itself out of sight. We decoded those data in the middle and replace {0} and {1} with “=” and “P”, then 2nd layer payload data
Second layer payload data
It defined two functions, and one variable that contain the main exploit code. After converting the code in $sG, it will use VirtualAlloc to reserve a part of memory. Then it uses CreateThread to invoke the malicious code. So what exactly $sG is? After b64 decoding, we get about 570 bytes binary data as below:
570 bytes binary data
To dive deep in to this, we have to check this binary by IDA. Following the first call into loc_D6, it puts ws2_32 and move edx, 726774ch, and this is the hash value of LoadLibrary function, the detail code is as below:
The hash value of LoadLibrary function
It is a reverse shell meterpreter shellcode that connects to exploit source 141.98.83[.]139 via tcp port 23733. Since the port now is closed, we only managed to capture the following packets. But the entire attack process only leveraged PowerShell to decode layer by layer, and uses hidden window style to hide itself. And finally, create a thread to achieve the reverse shell. Not a single file is dropped in the entire attack, which is known as fileless attack.
Muhstik
By exploiting CVE-2021-26084, it downloads conf2 from 149.28.85[.]17. The file will deploy and execute dk86 from 188.166.137[.]241 and ldm script. The attack scenario afterward is analyzed in this , but we observed a different server IP and more attack source IP which is intended to spread conf2 of Muhstik.
Different conf2 downloader
Conclusion
We have been tracking this vulnerability for weeks and observing massive threat exploitation targeting Atlassian Confluence. Although the patch for CVE-2021-26084 is already released, public attacks are still undergoing. In this post, we gave detail of those attacks and illustrate how they using the payload to deliver malware, users should upgrade the system immediately and also apply Fortiguard protection to avoid the threat probing.
188BET Protections
For vulnerability CVE-2021-26084, 188BET already release IPS signature Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution for it to proactive protect our customer. For payloads described are detected and blocked by the FortiGuard AntiVirus.
The downloading URLs and attacker's IP addresses have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.
IOC
|
Value |
Item |
|
86.105.195.154 |
Cryptojacking expolit source IP address |
|
86.105.195.120 |
Cryptojacking dropper hosting IP address |
|
911e417b9bc8689a3eed828f0b39f579 |
hxxp://86.105.195.120/cleanfda/init.sh hxxp://86.105.195.120/cleanfda/newinit.sh |
|
75259ee2db52d038efea5f939f68f122 |
hxxp://86.105.195.120/cleanfda/zzh |
|
4a7bf7f013cc2297d62627b2b78c5b0b |
hxxp://86.105.195.120/cleanfda/is.sh |
|
8cc2b831e29dc9f4832a162e9f425649 |
hxxp://86.105.195.120/cleanfda/rs.sh |
|
2.57.33.59 |
Setag expolit source IP address |
|
209.141.50.210 |
Setag dropper hosting IP address |
|
a8eb59396d698bda5840c8b73c34a03b |
hxxp://209.141.50.210/syna |
|
141.98.83.139 |
Fileless attack expolit source IP address |
|
1b8a7954b9630be2e0dd186a4fc6a32a |
2nd layer payload data |
|
bf8a7b199f3293852c7f2b3578e8c0ae |
Binary shellcode |
|
98.239.93.20 87.106.194.46 51.75.195.137 34.247.148.227 121.196.25.170 221.168.37.77 122.9.48.250 18.182.153.49 |
Muhstik exploit source IP address |
|
149.28.85.17 |
Conf2 dropper hosting IP address |
|
6078c8a0c32f4e634f2952e3ebac2430 |
hxxp://149.28.85.17/conf2 |
Learn more about 188BET’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about 188BET’s free cybersecurity training, an initiative of 188BET’s Training Advancement Agenda (TAA), or about the ,ԻVeterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and ServicesǰٴڴDZ.
