Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Atlassian. Show all posts

Effluence Backdoor: A Lingering Menace in Atlassian Confluence Servers

According to current cybersecurity developments, despite intensive efforts to patch vulnerabilities in Atlassian Confluence servers, the infamous Effluence backdoor remains a persistent danger. Because of this online shell's invisibility and the possible threats it poses to companies, security experts and researchers have expressed alarm.

Effluence, a covert backdoor identified in Atlassian Confluence servers, has been a focal point in the cybersecurity community due to its ability to evade detection and persist even after patching. Reports from prominent sources like The Hacker News and OPP Today reveal that despite efforts to secure Confluence servers, the Effluence backdoor remains active, allowing unauthorized access and potential exploitation.

TS2 Space, a cybersecurity platform, sheds light on the clandestine nature of the Effluence backdoor, emphasizing its stealthy capabilities. The backdoor's ability to operate without authentication makes it a formidable threat, enabling hackers to infiltrate systems undetected. This characteristic poses a significant challenge for organizations relying on Atlassian Confluence for collaborative work, as the backdoor can potentially compromise sensitive data and lead to severe security breaches.

Aon Cyber Labs has been at the forefront of efforts to detect and mitigate the Effluence backdoor. Their insights into unauthenticated Confluence web shell attacks provide valuable information for organizations looking to fortify their cybersecurity defenses. The challenge lies not only in patching known vulnerabilities but also in actively identifying and eliminating instances of the Effluence backdoor that may have already infiltrated systems.

Concerns have been raised by cybersecurity specialists regarding a possible link between ransomware attacks and Effluence. Effluence poses increased threats, since hackers may use it as a doorway to spread ransomware and extort businesses for money. This rise in risks emphasizes how urgent it is for businesses to take comprehensive and quick action against the Effluence backdoor.

The Effluence backdoor's continued existence is a sobering reminder of the difficulties businesses confront in protecting their digital infrastructure as the cybersecurity scene changes. Proactive patching, ongoing monitoring, and strong detection methods are just a few of the many strategies needed to combat this danger. Preventing possible breaches is crucial for preserving the security and integrity of organizational data in an era where cyber threats are growing more complex.


Critical Flaw in Atlassian's Confluence Server Allows Hackers to Run Commands


According to experts, a severe flaw in Atlassian's Confluence corporate server program that permits malicious commands and resets servers is actively exploited by threat actors in cyber attacks that install ransomware.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, said on Mastodon on Sunday, "Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss."  He continued, "So far, the attacking IPs all include Ukraine in their target."

He referred to a page that showed three separate IP addresses that began exploiting the major vulnerability, which allows attackers to restore a database and execute malicious commands, between 12 a.m. and 8 a.m. Sunday UTC (about 5 p.m. Saturday to 1 a.m. Sunday Pacific Time). The IPs have now discontinued the attacks, but he believes the exploits are still active.

It just takes one request

The DFIR Report posted screenshots of data collected while witnessing the attacks. One revealed a demand from the C3RB3R ransomware organization.

Meanwhile, security firms Rapid7 and Tenable confirmed that attacks began over the weekend as well.

Business researchers Daniel Lydon and Conor Quinn  said "As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing Atlassian Confluence exploitation in multiple customer environments, including for ransomware deployment." They continued "We have confirmed that at least some of the exploits target CVE-2023-22518, a Confluence Data Center and Confluence Server improper authorization vulnerability."

The discovery 

Rapid7 discovered exploits that were basically the same across different situations, indicating "mass exploitation" of on-premises Confluence servers. "In various exploit chains, Rapid7 saw post-exploitation command execution for downloading a malicious payload located at 193.43.72[.]11 and/or 193.176.179[.]41, which, if effective, resulted in single-system Cerber ransomware installation on the exploited Confluence server."

CVE-2023-22518 is known for a vulnerability in wrong authorization that can be abused on Internet-facing Confluence servers via tailored requests to setup-restore endpoints. Atlassian's cloud infrastructure does not affect Confluence accounts. Atlassian exposed the flaw in a blog post last Tuesday. Atlassian Chief Information Security Officer Bala Sathiamurthy cautioned in it that the flaw can end in "critical data loss if exploited" and that "users must take action right away to secure their cases."

What next?

Atlassian updated the post on Thursday to say that many reports released in the interim days offered "critical information about the vulnerability, which raises the possibility of exploitation." The update seemed to be connected to blogs like this one, which provided the findings of an analysis that contrasted the susceptible and fixed versions in order to pinpoint technical information. Another possible source was a Mastodon post:

“Just one request is all it takes to reset the server and gain admin access,” the post said in a video showing how the exploit works.

Atlassian updated the page again on Friday, stating that active exploitation was occurring. "Customers must take immediate action to protect their instances," said the statement.

Threat groups are likely racing to capitalize on the vulnerability before targets patch it now that word has spread that attacks are simple and effective. Any organization that has an on-premises Confluence server that is accessible to the Internet should fix quickly, and if that isn't possible, remove it from the Internet temporarily. Another riskier solution would be to turn off the following endpoints:

For nearly a week, Atlassian's senior management has practically begged affected customers to fix. Vulnerable organizations dismiss suggestions at their own risk.

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

Atlassian Bitbucket: Vulnerability Spotted Inside Data Center

Bitbucket Server and Data Center users are being alerted by Atlassian about a major security vulnerability that may allow attackers to run arbitrary code on weak systems.

The most updated vulnerability that involves command injection affects several software product API endpoints and is identified as CVE-2022-36804. Given that it has a CVSS severity score of 9.9 out of a possible 10.0,  it can be concluded that the vulnerability is critical and needs to be fixed immediately.

According to an advisory from Atlassian, "A hacker with access to a public Bitbucket repository or with r permissions to a private one can execute arbitrary code by sending a malicious HTTP request."

Bitbucket is a Git-based code hosting service connected with Jira and a part of the business' DevOps solution. Bitbucket offers both free and paid options and supports an infinite number of private repositories.

All Bitbucket versions issued after 6.10.17 are impacted, thus "all instances that are operating any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," according to Atlassian, which also alleges that the flaw was introduced in version 7.0.0 of Bitbucket.

Atlassian advises disabling public repositories using 'feature.public.access=false' as a temporary solution in situations where the patches cannot be applied immediately to stop unauthorized users from taking advantage of the problem.

It warned that "this can not be regarded a complete mitigation as an attacker with a user account could still succeed,", implying that hackers who already have legitimate credentials obtained through other ways could take advantage of it. 

It is advised that users of the affected software versions update as soon as possible to the most recent version in order to reduce security risks.

Max Garrett, a security researcher, disclosed CVE-2022-36804 to Atlassian via the company's bug bounty program on Bugcrowd and was rewarded with $6,000 for his discovery.

The teenage researcher tweeted yesterday that he will publish a proof-of-concept (PoC) attack for the problem in 30 days, allowing system administrators plenty of time to implement the now available remedies.

There is no guarantee that the significant RCE weakness won't be actively exploited more frequently before the PoC is released, but it is inevitable. Reverse engineering Atlassian's patch, according to Garrett, shouldn't be too challenging for knowledgeable hackers.

The motivation is there because remote code execution is the most dangerous type of vulnerability, allowing attackers to cause significant harm while evading all security protocols.

As a result, users of Bitbucket Server and Data Center are urged to install any security updates or mitigations as soon as they become available.


Zero-day Exploitable Bug in Atlassian Confluence

 

Researchers are alerting the public that an important Atlassian Confluence vulnerability that was published last week is currently being aggressively exploited. 

Researchers claim that Confluence Server 7.18.0 is affected by the significant unauthorized, remote code execution vulnerability CVE-2022-26134, and they believe that both Confluence Server and Data Center versions 7.4.0 are at risk.

Atlassian advises clients to disable access to their servers using one of two methods because there are no updates available:
  • Preventing access to the internet for Confluence Server and Data Center instances.
  • Confluence Server and Data Center instances can be disabled.
The hard-coded details were published on Twitter after the real-world exploitation, which prompted the Australian software business to give it the top priority in its patching schedule.

It's important to remember that the flaw only manifests itself when the Questions for Confluence app is turned on. However, since the created account is not automatically deleted after the Questions for Confluence program has been uninstalled, doing so does not fix the problem.

Federal organizations must stop all internet access to Confluence servers by June 3. The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its 'Known Exploited Vulnerabilities Catalog' and ordered federal entities to comply.

The development also occurs in the wake of Palo Alto Networks' discovery that threat actors begin looking for weak endpoints within 15 minutes following the public announcement of a new security defect in its 2022 Unit 42 Incident Response Report.



CVE-2021-26084: Critical Atlassian Confluence Flaw Exploited in the Wild

Atlassian has confirmed that malicious actors are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134, designed to install web shells with no fix available at this time. 

Atlassian released a security advisory in which it has stated that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability that is compromising Confluence Server (7.18.0 ) and Data Center(7.4.0). 

It said that all versions of Atlassian's corporate Wiki system, Confluence are hit by a serious bug under active exploitation. Experts indicate a possibility of Chinese threat actors being behind the attack. 

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company. 

As of now, there are no patches available for this vulnerability, thus Atlassian suggested its customers make their servers inaccessible by following these steps  restricting Confluence Server and Data Center instances from the internet and Disabling Confluence Server and Data Center instances.

The attack was reported by security firm Volexity, the company announced the availability of the security fixes for supported versions of Confluence within 24 hours (estimated time, by EOD June 3 PDT). It has been further noted that organizations that are using Atlassian Cloud (accessible via atlassian.net) are safe from this vulnerability. 

“After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike…” reads the analysis published by Volexity.

“… As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out. Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.”

Recently Patched Confluence Vulnerability Abused in the Wild

 

A significant vulnerability in Confluence's team collaboration server software is on the edge of exploitation after the company released the patch a week ago. 

Threat actors were found abusing the major vulnerability tracked as CVE-2021-26084 which affects Confluence Server and Confluence Data Center software, which is often installed on Confluence self-hosted project management, wiki, and team communication platforms. 

The vulnerability is hidden in OGNL (Object-Graph Navigation Language), a basic scripting language for interfacing with Java code, which is the fundamental technology used to build most Confluence software. 

When Atlassian released the fix on August 25, the firm that owns the Confluence software family, stated the vulnerability could be used by threat actors to circumvent authentication and implant malicious OGNL instructions that allow attackers to take control of the system. 

As an outcome, the vulnerability received a severity rating of 9.8 out of 10, indicating that it could be exploited remotely over the internet and building a weaponized exploit would be relatively simple.

Exploitation begins a week after fixes are released

Attackers and professional bug bounty hunters are investigating Confluence systems for functionalities vulnerable to CVE-2021-26084 exploits, according to Vietnamese security researcher Tuan Anh Nguyen, who stated on Tuesday that widespread scans for Confluence servers are already ongoing. 

Soon after the issue was discovered in the open, two security researchers, Rahul Maini and Harsh Jaiswal released a detailed explanation of the flaw on GitHub, along with various proof-of-concept payloads. Maini explained the procedure of creating the CVE-2021-26084 attack as “relatively simpler than expected,” thus proving the bug's high severity level of 9.8. 

Confluence is a widely used team collaboration software among some of the world's top businesses, and the CVE-2021-26084 vulnerability is highly effective from a threat actor's standpoint, criminal gangs are anticipated to increase their assaults in the next few days. 

As Confluence flaws have previously been widely weaponized, a similar exploitation strategy is probable this time. 

Atlassian states that Confluence is used by over 60,000 clients, including Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, according to its website.

Atlassian Patched Vulnerabilities in its Domains

 

On Wednesday 23rd of June, cyber-security experts uncovered key vulnerabilities in the Atlassian project and software development platform that might have been exploited to take over the account and control certain apps connected via its single sign-on (SSO) capabilities. 

The vulnerabilities are due to Atlassian using SSO to ensure the uninterrupted navigation of the above-mentioned domains, thereby attempting to create a possible attack scenario involving the use of XSS and CSRF to inject malicious code into the portal and leveraging a session fixation error in the event of a valid user session. Though these vulnerabilities have been patched. 

On January 08, 2021, the Australian company delivered a patch for its upgrades, after Atlassian was notified of the problem. The issues in the sub-domains include – 
jira.atlassian.com 
confluence.atlassian.com 
getsupport.atlassian.com 
partners.atlassian.com 
developer.atlassian.com 
support.atlassian.com 
training.atlassian.com 

"With just one click, an attacker could have used the flaws to get access to Atlassian's to publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products," Check Point Research stated. 

The appropriate exploitation of such vulnerabilities could escalate to an attack through a supply chain where the attacker can take over an account, take illegal measures on behalf of the victim, modify pages of Confluence, access Jira tickets, and even inject malicious implants to perpetrate further attacks. 

In other words, an attacker can deceive a user by clicking an Atlassian link that has been created to carry out a malicious payload, which can be utilized by the wrong player to log into the victim's account and gain confidential information. 

Moreover, the attacker can regulate a Bitbucket account with a Jira account by opening a Jira ticket that is incorporated with a malicious link to a rogue site which, when clicking on a message autogenerated by an e-mail, can be used to remove the credentials, essentially give them the authorization to access or modify the source code, make the repository publicly accessible or even insert the backdoors. 

"Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization's workflow," said Oded Vanunu, head of products vulnerabilities research at Check Point. "An incredible amount of supply chain information flows through these applications, as well as engineering and project management."