Australian software company Atlassian has released a security advisory warning of a critical remote code execution vulnerability in its Confluence software, which is being actively exploited in hacker attacks.
Tracked as CVE-2022-26134, the bug is described as an input validation error, which allows a remote non-authenticated attacker send a specially crafted request to the Confluence Server and execute arbitrary code on the system.
According to Atlassian, the vulnerability impacts all supported versions of Confluence Server and Data Center. The company said that it is likely all versions of Confluence Server and Data Center are affected, but it had yet to confirm the earliest affected version.
“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available,” the advisory said. “There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.”
The vulnerability was discovered by experts at cybersecurity firm Volexity while investigating an incident involving two Internet-facing web servers belonging to one of the company’s customers that were running Atlassian Confluence Server software.
It was found that the compromised hosts included JSP webshells being written to disk and that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate the exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server. Volexity says it doesn’t plan to publish the Proof-of-Concept (PoC) code.
As for a JSP file discovered on the compromised machine, it was a well-known copy of the JSP variant of the China Chopper webshell. It appears, however, that this webshell was intended as a means of secondary access.
After successfully exploiting the Confluence Server systems, the attacker deployed an in-memory copy of the BEHINDER implant, which provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.
The threat actor then deployed two additional webshells China Chopper and a custom file upload shell. The researchers said they believe that multiple threat actors from China are using this zero-day exploit.