4 August 2022

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor


Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Analysts from the DeepWatch threat intelligence team have discovered a malicious campaign, which has “highly likely” exploited a vulnerability in Atlassian Confluence Server software.

The bug suspected to have been exploited is CVE-2022-26134, a remote code execution flaw affecting out-of-date versions of Confluence Server and Data Center, which stems from improper input validation when processing OGNL expressions.

“Organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as provide technical services are likely targets of this threat actor,” the report noted.

In the observed campaign a threat actor, which DeepWatch tracks as TAC-040, appears to have exploited CVE-2022-26134 in an Atlassian Confluence server to execute malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.

The attackers then run various commands to enumerate the local system, network, and Active Directory environment and archived files and folders from multiple directories using the RAR and 7zip archiver utilities. DeepWatch says the hackers have managed to steal around 700MBs of archived data before the compromised server has been taken offline by the victim.

The attackers have also planted a previously undocumented backdoor, dubbed “Ljl Backdoor,” onto the compromised server. The backdoor has multiple capabilities, such as the ability to act as a reverse proxy, determine whether the target is active or idle, exfiltrate files, load additional plugins, collect victim system and geographic information (asn, isp, country name, country code, region name, etc.).

The researchers believe that the goal of this campaign was cyber-espionage, but they said they can’t completely rule out the possibility that the attackers were financially motivated.


Back to the list

Latest Posts

Cyber security week in review: September, 30

Cyber security week in review: September, 30

Unpatched Microsoft Exchange zero-days exploited in hacker attacks, Meta dismantles a sprawling Russia-linked disinformation network, and more.
30 September 2022
Covert hacker attack targets military contractors

Covert hacker attack targets military contractors

The campaign reportedly targeted a strategic supplier to the F-35 Lightning II fighter aircraft.
29 September 2022
Leaked LockBit 3.0 builder is already being used in ransomware attacks

Leaked LockBit 3.0 builder is already being used in ransomware attacks

The builder includes a configuration file that can easily be customized to use different ransom notes, statistics servers, and features, allowing anyone to create their own ransomware.
28 September 2022