top of page
  • Jose

Zero-Day Vulnerability - Atlassian Confluence - HACKED



What is Atlassian and Confluence?

Atlassian is a software development company that has put together a collection of tools geared toward technical teams to streamline project deployments and management the project throughout its lifecycle. Organization’s find Atlassian tools to be extremely beneficial since the major challenges technology companies face is a delayed deployment for things such as software patches or added feature deployment. During a deployment or new project, it includes numerous members in different departments to collaborate. Atlassian tools target organizations facing challenges in efficiency of code and system deployments, tracking time, tasks, and quality. According to Fast Company, Atlassian is one of the most innovative companies “The company is best known for Jira, a project-tracking tool that helps software teams address internal issues and evaluate performance; Confluence, a product that makes it easier for teams to work together, share projects, and communicate through both mobile and desktop devices; and HipChat, which allows workers to chat privately and in groups.”


What’s the exploit?

On June 2nd Atlassian warned the public regarding a Zero Day attack on one of it’s products, Confluence. The vulnerability targets the Confluence Server and Data Center products. According to The Hacker News, “it said is being actively exploited in the wild.” Volexity discovered the vulnerability now known as CVE-2022-26134, the exploit “..allowed unauthenticated remote code execution on the servers.” According to Volexity, “It should also be noted that CVE-2022-26134 appears to be another command injection vulnerability. This type of vulnerability is severe and demands significant attention.” The goal for this exploit was to obtain elevation of privilege leveraging remote code execution.


What’s a CVE?

A CVE standards for Common Vulnerabilities and Exposures, which provides a reference-method for known information-security vulnerabilities and exposures. The CVEs are published by National Institute of Standards and Technology (NIST) and other sites. CVEs are important because they allows cybersecurity professionals to understand the vulnerability that exposures the products they are using so they can properly prepare for attacks. The higher the rating the more impactful and likely the vulnerability is able to be exploited.


What is Remote Code Execution (RCE)?

The CVE-2022-26134 utilizes remote code execution which is a vulnerability used by many exploits which allows hackers to run their malicious code. Remote Code Execution (RCE) is one of the highest level of vulnerabilities available today. A good way to look at RCE is losing control of what your actions, imagine every time you try to change the channel on your TV, instead of changing the channel it raised the volume. In the computer world, every time your computer system runs something it also executed code that you or your system didn’t know about. The code injected can do anything the hacker designed it to do. Typically, the RCE type of exploits aim to take control of the entire system, once they control of the whole system all data inside the system is now compromised. Since Confluence holds team project timelines, collaboration with other tools of Atlassian, this type of attack is critical and can be severely impactful to organizations.


How was the exploit discovered?

A customer of Atlassian who uses Confluence reached out to Volexity to help them respond to a security incident. Volexity is a security firm, primarily focused on providing services in incident response, digital forensics, and threat intelligence. After the work done by Volexity they posted (on their blog) over Memorial Day weekend, they responded to an incident and stated “After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.”

Once the system has been exploited Volexity gathered that the exploit deployed BEHINDER (opensource attack software) implant. According to Volexity “This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only Web Shells and built-in support for interaction with Meterpreter and Cobalt Strike.” The attackers didn’t stop there, once BEHINDER was deployed according to Volexity “the attacker used the in-memory Web Shell to deploy two additional Web Shells to disk: CHINA CHOPPER and a custom file upload shell.”


What is BEHINDER?

Utilizes Web Shells and has tools to support interaction with Meterpreter (used to exploit a system) and Cobalt Strike(red team commands and control frameworks).

What are Web Shells?

MITRE ATT&CK, “Used to backdoor web server with Web Shells. Web Shells establish persistent access to systems.”

What is CHINA CHOPPER?

MITRE ATT&CK, “CHINA CHOPPER is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system backing back to a remote command and control server.”


What effects does this have on Atlassian?

Atlassian faced two major security vulnerabilities in one year. Last year 2021 CVE-2021-26084 was discovered August 2021. The current vulnerability CVE-2022-26134 is exploiting the similar vulnerabilities levered in CVE-2021-26084, both leveraging RCE. Atlassian was very quick to respond to the exploit of vulnerability CVE-2022-26134, releasing a patch June 4th, 2022, just a few days after CVE-2022-26134 was discovered.


My take-

The past few companies I have researched regarding attacks made on their system, Atlassian stands out as a company being transparent and quick to act. The actions Atlassian has made tells me two things, Atlassian takes the cybersecurity seriously by putting in quick effort in developing a patch and releasing exactly what systems were affected. The second is Atlassian values their community, disclosing the information and being transparent on its effect is extremely important to everyone using Confluence software. There is a concern of two high level exploits discovered in a span of one year relating to the same core vulnerability, Remote Code Execution. Atlassian being a software development company, I’m sure they invest in security; however, a serious consideration should be put into DevSecOps. The implementation of security as software is being developed should be taken into account, it will reduce the amount of Zero day vulnerabilities available since the code is developed from the ground up as a secured software.





References

Fast Company, Most Innovative Companies Atlassian Accessed: June 4th, 2022 https://www.fastcompany.com/company/atlassian

Ravie Lakshmanan via The Hacker News, (June 2nd, 2022) Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability Accessed: June 4th, 2022 https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html

MITRE ATT&CK, China Chopper Accessed June 4th 2022 https://attack.mitre.org/software/S0020/

MITE ATT&CK, Server Software Component: Web Shell Accessed: June 4th 2022 https://attack.mitre.org/techniques/T1505/003/

Andrew Case, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research, (June 2nd, 2022) Zero-Day Exploitation of Atlassian Confluence Accessed: June 5th, 2022



Recent Posts

See All

Comments


bottom of page