Stealthy Exploits Target Atlassian Confluence: In-Memory Web Shells Deployed

March 8, 2024

New proof-of-concept (PoC) exploits are being utilized in the wild for a flaw in Atlassian Confluence Data Center and Confluence Server. This flaw allows a threat actor to execute arbitrary code within Confluence's memory, bypassing the file system. The CVE-2023-22527 remote code execution vulnerability, disclosed earlier this year, is the focus of these exploits. Researchers have identified 30 unique exploits for this vulnerability, including recent ones.

The majority of the attacks employ the Godzilla Web shell, a tool that allows attackers to control the compromised server remotely, manipulate databases, and perform other malicious tasks. An emerging approach uses an in-memory payload. After observing this technique in the wild, researchers developed three PoCs to test the limits of the in-memory approach.

Jacob Baines, CTO of a cybersecurity firm, suggests that Confluence is a popular target due to the valuable business information it holds. He also highlights its attractiveness for ransomware attackers. "By exploiting this target, you're getting an on-prem version with business specific logic in it," he says. "It's pretty attractive for ransomware attackers specifically."

The researchers' blog post states, "There's more than one way to reach Rome. More stealthy paths generate different indicators. Of particular interest is the in-memory Web shell, which had a pre-existing variant … that appears to have been deployed in the wild." Baines explains that loading arbitrary Java into memory is a common exploit method, but it is easily detected.

The researchers developed two other proofs of concept for CVE-2023-22527 in Confluence. These demonstrate how threat actors could exploit the vulnerability by loading an in-memory Web shell directly, which would allow unauthorized access to Web servers. This stealthy approach is less likely to be detected. "A lot of systems only detect adversaries on the system by analyzing files that are dropped to disk," Baines says.

According to Baines, the risk of compromise is extremely high for organizations that have not yet patched Confluence, given the ongoing mass-exploitation efforts. "We see attackers have used this in-memory Web shell — it's not a theoretical attack," he says. "It's something that's happening, so defenders need to be aware of it, and that it is a high risk at the moment."

Baines warns that the risk from the in-memory approach extends beyond Confluence. It is related to Object-Graph Navigation Language (OGNL) expressions, which are used in many other products. "This affects a variety of different products with similar vulnerabilities — you could use this exact same technique against those other products," he says. "Organizations must evolve a step to start catching this sort of thing for example network-based detection or scanning Java memory for malicious Web shells."

Related News

• CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• C3RB3R Ransomware Exploits Confluence Vulnerability
• Critical Atlassian Confluence RCE Flaw Under Active Exploitation
• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions

Latest News

• Critical Vulnerability in Fortinet Systems Could Affect 150,000 Devices
• QNAP Alerts Users about Critical Authentication Bypass Vulnerability in NAS Devices
• CISA Highlights Active Exploitation of JetBrains TeamCity Software Vulnerability
• Cisco Addresses High-Severity Vulnerabilities in its VPN Product
• CISA Lists Apple iOS and iPadOS Memory Corruption Bugs in its Known Exploited Vulnerabilities Catalog