Actively Exploited Atlassian Confluence Zero-Day CVE-2022-26134

On June 2, 2022, Atlassian issued a security advisory for CVE-2022-26134, a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. The vulnerability is actively exploited and Atlassian released fixes for the affected versions.

Which Confluence Servers  Are Affected by the CVE-2022-26134 Vulnerability?

Atlassian has confirmed that the vulnerability affects Confluence Server and Data Center versions after 1.3.0. Therefore, all supported versions of Confluence Server and Data Center are affected by CVE-2022-26134 remote code execution vulnerability.

What Is the Impact of CVE-2021-26084 Vulnerability?

CVE-2022-26134 allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center installations.  Atlassian classifies the severity of the vulnerability as critical, which means exploitation of the vulnerability is likely to compromise servers at the root level, and exploitation is straightforward since the attacker does not require any authentication credentials.

What Should You Do?

Atlassian released fixes for supported and affected versions of Confluence Server and Data Center. Organizations are advised to upgrade to the latest versions.

Simulate Atlassian Confluence Server and Data Center CVE-2022-26134 Unauthenticated Remote Code Execution Exploits NOW!

What is the Current Situation?

Atlassian released fixed versions for Confluence Server and Data Center and public proof of concept (PoC) code is available. U.S. CISA reported that attackers are exploiting the vulnerability in the wild. Since Confluence is a widely used team collaboration software and the CVE-2022-26134 vulnerability is extremely dangerous, threat actors are anticipated to increase their attacks in the coming weeks.

Post-Exploitation TTPs

According to Volexity, attackers’ follow-up actions after successful exploitation of the Confluence Server and Data Center instances are:

1. Deploying an in-memory copy of the open-source Behinder web server implant.

2. Using Behinder, attackers deploy the following shells:

- The JSP variant of the China Chopper web shell (MD5: f8df4dd46f02dc86d37d46cf4793e036, SHA1: 4c02c3a150de6b70d6fca584c29888202cc1deef)

- Custom file upload shell (MD5: ea18fb65d92e1f0671f23372bacf60e7, SHA1: 80b327ec19c7d14cc10511060ed3a4abffc821af)

Since the Behinder implant also has built-in support for interaction with Cobalt Strike and Meterpreter, attackers can also use these post-exploitation tools.

• Checking operating system versions
• Accessing  “/etc/passwd” and “/etc/shadow” files for credential dumping
• Clearing tracks by removing web access logs

How Picus Helps Simulate Atlassian Confluence Server and Data Center CVE-2022-26134 Unauthenticated Remote Code Execution Exploits?

We also strongly suggest simulating Atlassian Confluence Server and Data Center CVE-2022-26134 unauthenticated remote code execution vulnerability exploitation attacks to assess the effectiveness of your security controls using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against the CVE-2022-26134 vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2022-26134 vulnerability: 

Picus Threat Library also includes attack simulations for previous Atlassian vulnerabilities. This threat currently includes the following actions:

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the Atlassian Confluence CVE-2022-26134 RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of Picus’ The Complete Security Control Validation Platform.

Threat Hunting

Volexity published YARA rules to hunt webshell activity. 

Indicators of Compromise (IoC)

IP Addresses:

• 156.146.34.9
• 156.146.56.136
• 198.147.22.148
• 45.43.19.91
• 66.115.182.102
• 66.115.182.111
• 67.149.61.16
• 154.16.105.147
• 64.64.228.239
• 156.146.34.52
• 154.146.34.145
• 198.147.22.148
• 221.178.126.244
• 59.163.248.170
• 98.32.230.38

SHA1 Hashes:

4c02c3a150de6b70d6fca584c29888202cc1deef

80b327ec19c7d14cc10511060ed3a4abffc821af