Researchers have discovered an unauthenticated Remote Code Execution (RCE) flaw, which is being tracked as CVE-2022-26134 and can compromise even the most up-to-date, patched version of Atlassian’s Confluence Server solution. On June 2nd, Atlassian released an advisory stating that versions of Confluence Server and Data Center 7.4.0 and higher are potentially vulnerable.
Security researchers observed that the post-exploitation of a compromised server led the threat actor (TA) to deploy an in-memory copy of a malware tool, which enables the use of web shells to gain remote access to the webservers. This malware is known as BEHINDER, which has also been observed to support the use of Meterpreter and Cobalt Strike.
The TA could harness these tools as part of a more extensive breach, potentially to aid in the creation of and to secure command and control compromise of a network, allowing for further payload deployment and exfiltration within the post-exploitation phase of the attack lifecycle.
At the time of this reporting, Atlassian has not been able to provide a patch for this vulnerability. However, network mitigations can still be deployed to reduce the risk of exploitation, including restricting traffic from Confluence servers, having incident response capabilities ready, and ensuring network security resources block true-positive activity at the firewall level.
Users can also:
- Use network security resources like firewalls to block URLs containing these characters: ${
- Enumerate internet-facing services with appropriate logs in terms of type and retention in case of an incident.
- If using a firewall, ensure only necessary inbound traffic enters your network environment and restrict access to your organization’s internet-facing resources.
- Atlassian also suggests making servers inaccessible by:
- Restricting access to Confluence Server and Data Center instances from the internet.
- Disabling Confluence Server and Data Center instances.
This is considered a highly critical alert requiring mitigation until Atlassian provides the required patch to deploy to impacted Confluence Servers.
BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.
About the author
Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.
Learn more about Sergio here.