4 August 2022

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor


Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Analysts from the DeepWatch threat intelligence team have discovered a malicious campaign, which has “highly likely” exploited a vulnerability in Atlassian Confluence Server software.

The bug suspected to have been exploited is CVE-2022-26134, a remote code execution flaw affecting out-of-date versions of Confluence Server and Data Center, which stems from improper input validation when processing OGNL expressions.

“Organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as provide technical services are likely targets of this threat actor,” the report noted.

In the observed campaign a threat actor, which DeepWatch tracks as TAC-040, appears to have exploited CVE-2022-26134 in an Atlassian Confluence server to execute malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.

The attackers then run various commands to enumerate the local system, network, and Active Directory environment and archived files and folders from multiple directories using the RAR and 7zip archiver utilities. DeepWatch says the hackers have managed to steal around 700MBs of archived data before the compromised server has been taken offline by the victim.

The attackers have also planted a previously undocumented backdoor, dubbed “Ljl Backdoor,” onto the compromised server. The backdoor has multiple capabilities, such as the ability to act as a reverse proxy, determine whether the target is active or idle, exfiltrate files, load additional plugins, collect victim system and geographic information (asn, isp, country name, country code, region name, etc.).

The researchers believe that the goal of this campaign was cyber-espionage, but they said they can’t completely rule out the possibility that the attackers were financially motivated.


Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022