9 Nov 2023
Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) observed the use of novel malware, dubbed “Effluence,” in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence. The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied.
Stroz Friedberg was engaged to help a client perform diligence after they discovered that they had a known vulnerable (CVE-2023-22515) (CVSS score: 10.0) Atlassian Confluence Data Center server near the edge of their network. This vulnerability allows an attacker to gain unauthorized access to the administrative areas of a Confluence server.
In this specific client engagement, the cybercriminal gained initial access via the previously mentioned vulnerability and embedded a novel web shell into the Confluence server which allowed them persistent access to every web page on the server without the need for a valid user account.
The web shell encountered during Stroz Friedberg’s investigation, however, hijacks the underlying Apache Tomcat webserver and silently inserts itself between Confluence and Tomcat–making itself available on every webpage, including the unauthenticated login page. The web shell does not make any changes to the webpages and allows requests to pass through it unnoticed until a request matches specific parameters.
When triggered, the web shell can execute any of the following functions (which closely align with a Godzilla webshell plugin):
Create a new administrator account to gain full control over the system.
Purge application logs to erase traces of unauthorized access.
Run any command on the host server.
Browse through the file system to inspect the structure and contents of directories.
Delete any file on the server.
Modify the timestamps of files to hide when they were last edited.
Read the contents of any file.
Edit any file, enabling the alteration of data or system settings.
Enumerate all Confluence collaboration spaces, capturing details such as space name, date of creation, title, creator, recent modifiers, modification dates, and their respective URLs.
Conceal unauthorized plugin uploads by misrepresenting them as official System Plugins rather than User Plugins.
Extract detailed LDAP1 configurations, including various identifiers, statuses, encryption settings, descriptions, types, classes, creation and update dates, permissible operations, and custom LDAP attributes specified within Confluence.
Acquire comprehensive information on configured mail servers, including names, protocols, host details, ports, login credentials, descriptions, and proxy configurations.
Collect environmental variables from the server, which may reveal system configuration and sensitive information.
Compile extensive user information such as usernames, full names, email addresses, the encryption status of credentials, actual user credentials, contact numbers, instant messaging handles, job titles, departments, locations, login frequency, account statuses, group memberships, and associated directory IDs.
Deploy additional plugins that could offer more features or vulnerabilities to exploit.
Remove users from Confluence.
Search and retrieve specific content from within Confluence pages, potentially accessing confidential or proprietary information.
Change user passwords, allowing for unauthorized access to user accounts.
Log usernames and passwords utilized during login attempts, which could be used for further unauthorized access to systems and data.
Stroz Friedberg has not thoroughly tested to what extent this novel malware is applicable to other Atlassian products. Several of the web shell functions depend on Confluence-specific APIs. However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, BitBucket, or other Atlassian products where an attacker can install the plugin.
List of products by Atlassian are at Products | Atlassian