Red Canary has produced a report on the exploitation of the Atlassian Confluence CVE-2023-22518 vulnerability by the Cerber Ransomware Campaign.
Convincingly, Atlassian has undoubtedly been a significant target for ransomware attacks.
In October alone, various researchers reported a vulnerability, CVE-2023-22515, affecting several versions of Confluence. This certainly gives much worries and need for security experts to be at alert.
Subsequently a new finds has surfaced, as Red Canary’s researchers have written a comprehensive report on a new exploit in the Atlassian Confluence vulnerability, CVE-2023-22518, by a ransomware campaign.
On November 6th, Red Canary announced that its team had found a suspicious exploit in Atlassian Confluence, which led to an attempt to deploy the Cerber ransomware.
While the detected activity appears to use intrusion methods similar to those previously reported by The DFIR and Rapid7, the Red Canary team chose to publish their own report. The teams goal, is to provide a deeper understanding of the ransomware, and advise organizations on how to protect themselves from becoming victims.
THE CVE-2023-22518 VULNERABILITY:
The Atlassian Confluence CVE-2023-22518 vulnerability is an Improper Authorization security exploit discovered in Confluence Data Centre’s and Confluence Servers.
Unauthenticated threat actors can exploit this security weakness by performing the “Restore from Backup” function and submitting their own malicious “.zip” file. This poses a high risk as adversaries can exploit this to destroy confluence instances, leading to data loss.
Alternatively, the threat actor could exploit this by submitting a “.zip” file containing a malicious webshell, enabling the threat actor to execute malicious code remotely aka (RCE).
RECOMMENDATION AND VERSION UPDATE:
Atlassian recommends its users to update their on-premise instances to the latest Confluence versions as outlined below:
- 7.19.16 or later.
- 8.3.4 or later.
- 8.4.4 or later.
- 8.5.3 or later.
- 8.6.1 or later.
Red Canary has reported observations and patterns of a successful exploit of Atlassian Confluence CVE-2023-22518.
The research team discovered that adversaries can upload arbitrary content to the confluence instances without authentication once they exploit the vulnerability.
Contrary, Atlassian has stated that there is no detected impact on confidentiality, and threat actors cannot exfiltrate data from any instances. However, the threat actor might choose to upload a malicious zip file containing a web shell. This would enable the threat actor to execute codes remotely, also known as RCEs.
Adversaries gain initial access and run the shell command “cmd /c whoami”, which allows the shell to download a file from the IP address belonging to the threat actor’s server.
Decoding a snippet of the script reveals that the “tmp.48” file is downloaded to the victim’s device.
Further Extraction and decoding of the “tmp.48” file describes a list of functions the script performs.
- The script defines a function, `Download_Execute`, that creates a .NET WebClient object with a Mozilla 4.0 User-Agent and proxy settings.
- It checks if the Confluence server should use the specified proxy server, and if so, downloads the specified file. Otherwise, it uses an Internet Explorer COM object to download the script.
- The script downloads a Cerber ransomware executable, saves it as `svcprvinit.exe` in the temp folder, and runs it with `-b 9` arguments.
- Finally, it calls `Download_Execute` to download `tmp.48.txt` from `193.176.179[.]41` and extract the Cerber ransomware file.
The Cerber ransomware sample “svcprvinit.exe”, potentially linked to the Conti Ransomware leaks, was successfully obtained by Red Canary Researchers.
Upon execution, they found that the Cerber ransomware initiates a binary that encrypts files on the local disk and network shares, adding the “.LOCK3D” extension. It also creates a mutex memory, a conditional variable that prevents shared data from being accessed by multiple threads simultaneously.
Red Canary researchers stated that:
“The ransomware binary uses ChaCha (a modification of the Salsa20 stream cipher) to encrypt files. This is consistent with the last known build of Conti using ChaCha for file encryption. The binary also contains the capability to use AES and RC4 for different encryption operations (e.g., encrypting keys).”
Furthermore, the ransomware binary is said to then create the Mutex hsfjuukjzloqu28oajh727190 to ensure that only one instance of the memory is running at a given time.
Once it successfully encrypts victims files, the ransomware proceed to drop a ransom note “read-me3.txt” in each encrypted folder.
In the final stage, of the process the malware deletes all shadow copies of the volume using the windows command shell “cmd.exe” and “wmic.exe”, and then it deletes itself.
Red Canary has disclosed a list of IoCs to help organizations detect this attack when exposed to it.
Please do let us know in the comment section what are your thoughts about this.