We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organizations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.
Abusing the gap
The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.
To identify whether the installed Confluence Server is vulnerable, the attacker can send an HTTP request to run an id command. Upon successful exploitation, the attacker can read its response in a controlled HTTP response header. From the sample we analyzed, executing the id command yielded an output of “X-Cmd-Response” header — the vulnerable server will execute the command and set its response in the attacker-defined header.
Looking at the malware routine
Using Trend Micro Cloud One™ Workload Security modules to track the components and activities of the cryptocurrency malware used, we observed the following events and components:
- Intrusion Prevention System (IPS): Aside from blocking the exploitation of CVE-2022-26134 and other application vulnerabilities, IPS also tracked the incoming event’s traffic and the payload’s data and trigger. In this sample, the attacker injected an OGNL expression to download and run the ro.sh script in the victim’s machine. This script file downloaded another script, ap.sh.
- Web reputation module: Aside from blocking the malicious URL, we also observed the command-and-control (C&C) URL server that the malware was communicating with for the payload download routine.
- Antimalware module: Aside from protecting the targeted system against the exploitation of the vulnerability in real time using behavior monitoring, the antimalware module can also detect and block the download of other components to execute the malware. In this sample, the scripts were downloading the cryptocurrency miner malware hezb.
- Activity monitoring module: This module detects process, file, and network activities on endpoints running Workload Security. From our analysis, the hezb malware initiated a process to communicate with the C&C server.
Tracking the shell scripts
Once the exploit payload is executed in the victim machine, the malware downloads the ro.sh/ap.sh shell script file. This shell script performs multiple actions and we break it down as follows:
1. The script updates the path variable to include the /tmp and /dev/shm paths.
2. If the curl utility is not present in the system, the script downloads and installs its own curl binary file from the C&C server.
3. Like many other cryptocurrency-mining malware, it disables the iptables or changes the firewall policy action to ACCEPT and flushes all the firewall rules.
4. The script downloads a binary file ko, which takes the advantage of the PwnKit vulnerability to escalate the privilege to the root user, while the binary file downloads the ap.sh shell script for the next actions.
5. The ap.sh script downloads the hezb malware and kills multiple processes that belong to other competing coin miners, disables cloud service provider agents, and proceeds with lateral movement.
a. The ap.sh script checks for the presence of hezb in the running process. If it is not found, the script downloads the binary file according to the system architecture (such as sys.x86_64), renames it to “hezb”, and communicates with its C&C server hosted at 106[.]252[.]252[.]226 using port 4545.
b. Under the /root and /home directories, the script scans for secure shell protocol (SSH) users, keys, and hosts in the .ssh directory and .bash_history file.
While doing lateral movement via SSH, the malware also downloads the ldr.sh script on the remote hosts. ldr.sh contains the hard-coded information of the miner wallet address that it needs to communicate with. Upon closer examination, we can see that the ldr.sh script has the same content as ro.sh and ap.sh, except for the process where the script simultaneously connects with the miner server and uses different IP addresses and arguments.
We analyzed the script capable of changing the attribute of </etc/ld.so.preload> to make it mutable. </etc/ld.so.preload> does not commonly exist in the usual installation of Linux. The presence of this file and other paths to arbitrary executables could indicate malicious libraries, which also imply the presence of other malware. Making the file mutable clears the contents of the file by changing the file permissions to free the system’s resource because other malicious processes will be unable to work.
We also observed that it can scan the status of all mounted file systems in the </proc/mount> directory.
Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises. Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself. Aside from the hezb malware, we observed Kinsing and the Dark.IoT malware from our honeypot abusing this vulnerability. Reports of cybercriminals exploiting this gap in attempts to deploy malware such as Mirai and web shells such as China Chopper have also emerged, with analyses detailing the abuse of vulnerable servers to spread and expand attacks.
We’ve observed a number of companies who have been hit with the active exploitation of CVE-2022-26134. According to Confluence’s website, over 75,000 customers use the collaboration tool for their business and work operations, which implies that a number of industries could be vulnerable and overwhelmed with attacks if their respective platforms remain unpatched. Organizations who have yet to patch or upgrade their respective subscriptions to a fixed version are advised to apply the recommended mitigation steps from the official documentation released.
Trend Micro solutions
Trend Micro Vision One™ customers are protected from the abuse of this vulnerability and its accompanying malicious payloads via Workload Security with the following rules:
- 1011456: Atlassian Confluence and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
- 1008610: Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request
Workload Security’s correlation of telemetry and detections provide initial security context, allowing security teams and analysts to track and monitor the threats activities. In the next section, Trend Micro Vision One provides more details into the paths and events in real time.
Using Trend Micro Vision One, the observed attack techniques (OATs) is generated from individual events that provide security teams and analysts with security value. To investigate the possible attempts of exploitation using this vulnerability, analysts can look for these OAT IDs from the other helper OAT triggers indicative of suspicious activities on the affected host, such as:
- F2588 – Atlassian Vulnerability Exploitation
- F2358 – Recursive File Deletion via RM Command
- F2360 – Process Discovery via PS command
- F4584 – Identified Transfer of Suspicious Files Over Network
- F3737 – Curl Execution
- F4868 – Wget Execution
- F2918 – View File via Cat Command
- F4986 – Malware Detection
- F2140 – Malicious Software
- F2681 – Display Users and Groups List
- F2763 – Malicious URL
The Trend Micro Vision One Workbench app helps analysts see the significant correlated events intelligently based on occurrences throughout the entire fleet of workloads. Analysts can view the different fields of interest that are considered important and provide security value, allowing security teams to see the compromised assets and isolate those that can be potentially affected while patching procedures are in progress. Using the Execution Profile feature in Vision One, analysts can through the extensive list of actions performed by an adversary from the search app or the threat hunting app to look for different activities observed in a given time frame.
Indicators of Compromise (IOCs)
You can find the full list of IOCs here.
MITRE ATT&CK Techniques
|Exploit Public-Facing Application||T1190|
|Hijack Execution Flow: Path Interception by PATH Environment Variable||T1574.007|
|File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification||T1222.002|
|Hide Artifacts: Hidden Files and Directories||T1564.001|
|Impair Defenses: Disable or Modify System Firewall||T1562.004|
|Indicator Removal on Host: File Deletion||T1070.004|
|Scheduled Task/Job: Cron||T1053.003|
|System Information Discovery||T1082|
|Remote System Discovery||T1018|
|Remote Services: SSH||T1021.004|