Researchers have found a new malware exploiting Atlassian Confluence vulnerabilities. Identified as Effluence, the new malware is a backdoor that chains a known vulnerability with a newly reported security flaw affecting Atlassian Confluence servers. Once deployed, patching the vulnerabilities won’t remedy the malware attack, demanding utmost security vigilance from the users.
Effluence Backdoor Exploits Atlassian Confluence Vulnerabilities
According to a recent post from Aon’s Stroz Friedberg Incident Response Services, a new malware is actively exploiting two separate Atlassian Confluence vulnerabilities, chaining them to target vulnerable servers.
As explained, the researchers found the new malware exploiting the recently discovered vulnerability CVE-2023-22518 to gain access to vulnerable systems. They detected this malware when analyzing a known vulnerable Atlassian Confluence Data Center server for a client’s network.
The recently discovered vulnerability is a critical severity flaw that allows creating rogue admin accounts, leading to a loss of confidentiality, integrity, and availability.
Once deployed, the malware, identified as “Effluence” serves as a backdoor that spreads laterally on the target network and steals data from Confluence.
However, to achieve this goal, the malware exploits a previously known vulnerability, CVE-2023-22515.
As the researchers observed, the malware reaches the target system and embeds a novel web shell that hijacks the underlying Apache Tomcat webserver, which positions itself between the Tomcat and Confluence. Thus, it becomes available on every web page, including unauthenticated pages, while remaining under the radar as it doesn’t affect the web pages.
Nonetheless, as it allows requests to pass through, it triggers malicious functionalities when encountering a specific request.
Explaining the web shell, the post reads,
The web shell is split into two parts, a loader and payload. The loader acts as a normal Confluence plugin but utilizes a modified legitimate Java collections class, similar to IdentityHashMap, to hide its malicious payload. The loader is triggered via an overloaded equals() method, which decrypts the payload into a byte array containing a Java class, then loads that class via reflection—hence the raw Java class is never written to the filesystem. Once the payload is loaded, it runs a function which hides the plugin among Confluence “System Apps”, whereas a user loaded plugin would normally be among “User-Installed Apps”.
Next, it creates rogue admin accounts, removes users, executes arbitrary commands, reads/writes/deletes files, uploads unauthorized plugins, uninstalls plugins, extracts information, purges app logs, and meddles with user passwords to allow unauthorized access to user accounts.
The researchers have shared a detailed technical analysis of this malware in their post.
As explained, the Effluence backdoor threatens all vulnerable Atlassian Confluence servers, and once infected, patching the vulnerabilities won’t remedy the attack. Therefore, users must stay vigilant about the yet unpatched and uninfected Confluence servers to patch immediately. Whereas the other users must take adequate remedying measures to detect and remove the backdoor from their network.
Let us know your thoughts in the comments.