Atlassian has confirmed the critical vulnerability in Confluence Server and Data Center, and the company said there is currently no fix, but it is working on a patch. All versions of Atlassian’s corporate Wiki system, Confluence, are affected by a serious bug under active exploitation, possibly by Chinese threat actors.
Administrators should not expose Confluence to the Internet, and disable instances of the corporate Wiki, as options to keep themselves secure. Volexity reported the issue to Atlassian, the vulnerability has been given an index of CVE-2022-26134.
Attackers had written a version of the Java Server Pages (JSP) “China Chopper” web shell to disk, and Volexity determined a vulnerability was exploited for remote code execution on the servers. China Chopper was probably left to provide secondary access to the compromised servers, Volexity believes.
Memory samples taken have shown Bash command-line shells running as the root super user with full system access, being launched by the Confluence web application process.
An in-memory-only implant, BEHINDER, was immediately deployed by the attackers, providing them with powerful capabilities such as running the Meterpreter attack payload from Metasploit, and the Cobalt Strike remote access tool.
All attacker-spawned processes, including child ones created by the exploit, run as the root superuser, which means they have full access to compromised systems.
Atlassian’s advised that customers should not expose Confluence servers to the Internet and added that they should not run with root privileges either.