Detecting Atlassian Confluence Exploitation

Introduction

The blog “Detecting Atlassian Confluence Exploitation – CVE-2022-26134” focuses on identifying and responding to active exploitation of a critical remote code execution vulnerability affecting Atlassian Confluence servers. The article explains how attackers leveraged the flaw to execute arbitrary commands, leading to widespread compromise. It emphasizes detection strategies, indicators of compromise, and the importance of Risk Mitigation & Threat Analysis to reduce exposure and contain attacks related to Atlassian Confluence Exploitation.

Key Takeaways

CVE-2022-26134 is a critical unauthenticated remote code execution (RCE) vulnerability in Atlassian Confluence Server/Data Center allowing arbitrary code execution.
Exploitation can lead to full system or domain compromise if not detected and mitigated.
Mitigation involves applying Atlassian’s security patches and restricting access to vulnerable instances.
Detection rules (like System-41 Sigma rules) examine logs for malicious OGNL injection indicators to spot exploit activity.

Context Background

Atlassian has published a security advisory CVE-2022-26134 on June 2, for its Confluence Server and Data Center, regarding zero-day vulnerability. Several customer environments were being compromised with the unauthenticated activity and for which patches were released on June 3 as part of a makeshift solution.

Such a Java vulnerability causes a volatile situation during which a server comes under direct attack. With this exposure, organizations experience data infiltration and other security issues through remote code execution (RCE) resulting in an unauthorized exploitation.

The Impact

If left ignored or unnoticed, the threat actor might make use of the RCE to forcefully induce malware or ransomware to lock or steal data. The impact varies in magnitude and affects at various levels in an organization.

Server Level – At the server level, this vulnerability creates a devastating effect by completely manipulating the server configurations and settings.
Domain Level – The infrastructure will be exposed to attacks, eventually resulting in the complete takeover of the customer’s domain.

By injecting Object-Graph Navigation Language (OGNL) into a customer’s development framework, an arbitrary code would be executed making the entire system highly exposed to attacks.

A Constructive Approach for Risk Mitigation & Threat Analysis

CVE-2022-26134, the critical RCE vulnerability, affects all the supported versions of Atlassian Confluence Server and Data Center. In the event, the above patches could not be applied, it is advisable to limit or disable access to the instances.

Action to be taken	Result achieved
Control access to the instances of Confluence Server and Data Center	This action, when invoked, protects the data from getting damaged or exposed further leading to the security of domain, server and infrastructure.
Activate incident response protocols	This action mitigates further threats and other vulnerabilities to the organization, beefing up the security levels.
Implement patches issued by Atlassian	This action avoids the deployment of any unique HTTP requests created to steal, migrate, modify or even damage data.
Apply YARA rules based on the nature of the RCE vulnerability	This action helps in the creation of a set of YARA rules that will result in further exploitation of the vulnerability.

System-41, a product of Loginsoft, offers Threat Hunting and Detection Rules in “Sigma” (a generic and open signature format) and which later can be converted to any SIEM. The analytics developed will also be validated and the logs used for validation will be preserved for reference. These curated rules will make it easy to analyze various logs as part of identifying a suspicious action or threat across Windows and Linux Operating Systems.

Now, let us try to answer these questions:

What does the System-41 rule detect in CVE-2022-26134?
Which logs to look for based on the operating system or server?

What Is detected?

System-41 rule detects suspicious activities, real threats, and any vulnerabilities that hamper proper functioning of your business at server level, network level or OS level.

How is it detected?

Different types of logs are examined during the process of threat identification. These logs differ from one another based on the OS or server.

For instance, the below System-41 rule is written for webserver to observe logs and identify possible threats.

• System-41 rule for webserver


1   title: Confluence Exploit Activity on Webserver Logs
2   id: 646df676-e77e-4021-9127-2156137919ef
3   description: Detection for Confluence server activity found on   webserver logs
4   date: 16/06/2022
5   status: experimental
6   references:
7   - 'https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/'
8   - 'https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/'
9   tags:
10  - attack.t1190
11  author: System-41
12  logsource:
13    category: webserver
14  detection: 
15    mal_request:
16       cs-method: 'GET'
17       c-uri|contains: 
18           - '/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'
19           - '${@java.lang.Runtime().exec('
20           - '${@java'
21           - '${'
22    condition : mal_request
23  falsepositives: unknown
24  level: high

.code-container { position: relative; margin-top: 20px;}.copy-btn { position: absolute; right: 8px; top: 20px; /* Adjust as needed to position above the code block */ padding: 6px 12px; cursor: pointer; background-color: #777777; /* Button background color */ color: white; /* Button text color */ border: none; border-radius: 4px; font-size: 12px;}.code-block { font-family: monospace; background-color: rgba(255, 255, 255, 1); padding: 24px; margin-top: 12px; margin-bottom: 12px; border-radius: 8px; overflow-x: auto;}

In the above rule, the logs to be analyzed are detailed from Line 18 to 21. Any unusual activity detected in the Confluence server based on the examination of these logs would be reported. Alternatively, the detection would take place only if the URI contains any of the parameters defined from Line 18 to 21.

Similarly, there are System-41 rules for Windows and Linux as detailed below.

• System-41 rule for Windows


1   title: Confluence Webshell activity on Windows
2   id: ed473006-e388-4c5d-8672-149c003e569b
3   description: Detection for Confluence activity through tomcat9.exe to run arbitrary commands
4   date: 16/06/2022
5   status: experimental
6   references: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
7   tags:
8     -attack.t1033  #System Owner/User Discovery 
9     -attack.t1018  #Remote System Discovery 
10    -attack.t1218.011  #System Binary Proxy Execution: Rundll32 
11    -attack.t1087.001 #Account Discovery: Local Account   
12  author: System-41
13  logsource:
14    category: process_creation
15    product: windows
16  detection:
17    confluence_tomcat_binary:
18      ParentImage|endswith:
19        -'\Confluence\bin\tomcat9.exe'
20    discovery:
21      Image|endswith:
22        -'\whoami.exe'
23        -'\net.exe'
24        -'\net1.exe'
25        -'\schtasks.exe'
26        -'\ping.exe'
27        -'\ipconfig.exe'
28        -'\vssadmin.exe'
29        -'\tasklist.exe'
30        -'\quser.exe'
31        -'\hostname.exe'
32        -'\systeminfo.exe'
33    suspicious_proc:
34      Image|endswith:
35        -'\cmd.exe'
36        -'\powershell.exe'
37        -'\rundll32.exe'
38        -'\fsutils.exe'
39        -'\bitsadmin.exe'
40    condition: confluence_tomcat_binary and (discovery or suspicious_proc)
41  falsepositives: unknown
42  level: high

‍

In the above rule, the elements of the map are linked with the logical AND. Next, the image of the process would be matched with that of the parent image. The detection takes place when a log contains the specified image paths.

• System-41 rule for Linux


1   title: Confluence Webshell activity on Linux
2   id: 0d9d7bc8-89f7-4aea-af6d-c5755cbe5c8d
3   description: Detection for Confluence activity through  to run arbitrary commands
4   date: 16/06/2022
5   status: experimental
6   author: System-41
7   refernces: 
8      - 'https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/'
9      - 'https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/'
10  tags: 
11     - attack.t1190 #initial access
12     - attack.t1059  #execution
13  logsource:
14      category: process_creation
15      product: linux
16  detection: 
17      Suscpicious_process_activity:
18         ParentImage|endswith: '/java'
19         ParentImage|startswith: '/opt/atlassian/confluence/'
20         CommandLine|contains:
21         	- '/bin/sh'
22         	- 'curl'
23          - 'wget'
24          - 'pty.spawn'
25          - 'python'
26          - '/bin/bash'
27       condition : Suscpicious_process_activity
28  falsepositives: Unknown
29  level: High

‍

The rule above helps in detecting suspicious process activities in Linux if any of the logs contain requests like ‘curl’ and ‘wget’ in the command line.

Conversion of System-41 rule to SIEM query

Converting the System-41 rule to any SIEM query, it is necessary to include certain parameters like:

the target SIEM
a configuration file
the path

With the inclusion of the above parameters, the command line appears as depicted below.

./sigmac –t <target> -c <path to the configuration file> <path to the rule>

Conclusion

Loginsoft’s team has conducted a detailed research to evolve at solutions that will help in protecting data, be it, on Windows or Linux. System-41 is a threat detection platform from Loginsoft aimed to keep data safe and mitigate risk.

FAQs

Q1. What is CVE-2022-26134?

CVE-2022-26134 is a critical remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center. With a CVSS score of 9.8 (Critical), the flaw is caused by an OGNL injection issue that allows attackers to execute arbitrary code without authentication, giving them full control over vulnerable Confluence systems.

Q2. Why is Atlassian Confluence exploitation dangerous?

Exploiting Atlassian Confluence is especially dangerous because it gives attackers access to a central hub of sensitive organizational data and often full administrative control of the underlying system. This level of access allows attackers to steal data, deploy malware, move laterally across the network, and fully compromise enterprise environments.

Q3. How can exploitation attempts be detected?

Exploitation attempts can be identified by watching for unusual system or network activity, reviewing logs for abnormal behavior, and using security tools such as Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) solutions.

Q4. What role does Risk Mitigation & Threat Analysis play?

Risk Mitigation & Threat Analysis helps organizations identify potential threats and vulnerabilities, understand their impact, and choose the right response, avoid, reduce, transfer, or accept the risk. By managing risks proactively instead of reacting after incidents, organizations protect business continuity, safeguard their reputation, and stay on track to achieve their goals.

Q5. What should organizations do after detecting exploitation?

Once exploitation is detected, organizations should immediately trigger their incident response plan to contain the attack, assess its impact, notify affected stakeholders, fix the underlying vulnerabilities, and implement controls to prevent future incidents.

Detecting Atlassian Confluence Exploitation - CVE-2022-26134