Lucene search

K
thnThe Hacker NewsTHN:28E19599F22A64F86B1E4B10C194664D
HistoryNov 10, 2023 - 8:58 a.m.

Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers

2023-11-1008:58:00
The Hacker News
thehackernews.com
81
effluence
atlassian confluence
security flaw
backdoor
remote access
exploitation
cve-2023-22515
cve-2023-22518
web shell
persistence
lateral movement
exfiltration
stealthy
unauthenticated
rogue administrator
confidentiality
integrity
availability
remote access
api

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.955 High

EPSS

Percentile

99.2%

Atlassian Confluence Servers

Cybersecurity researchers have discovered a stealthy backdoor named Effluence that’s deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.

β€œThe malware acts as a persistent backdoor and is not remediated by applying patches to Confluence,” Aon’s Stroz Friedberg Incident Response Services said in an analysis published earlier this week.

β€œThe backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence.”

Cybersecurity

The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.

Atlassian has since disclosed a second flaw known as CVE-2023-22518 (CVSS score: 10.0) that an attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability.

What makes the latest attack stand out is that the adversary gained initial access via CVE-2023-22515 and embedded a novel web shell that grants persistent remote access to every web page on the server, including the unauthenticated login page, without the need for a valid user account.

The web shell, made up of a loader and payload, is passive, allowing requests to pass through it unnoticed until a request matching a specific parameter is provided, at which point it triggers its malicious behavior by executing a series of actions.

This comprises creating a new admin account, purging logs to cover up the forensic trail, running arbitrary commands on the underlying server, enumerating, reading, and deleting files, and compiling extensive information about the Atlassian environment.

Cybersecurity

The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload.

β€œSeveral of the web shell functions depend on Confluence-specific APIs,” security researcher Zachary Reichert said.

β€œHowever, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin.”

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.955 High

EPSS

Percentile

99.2%