Atlassian Confluence bug exploited to install Lil backdoor
Researchers have spotted threat actors actively exploiting a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed “Ljl” against several unnamed organizations.
Once gaining initial access, the threat actor, dubbed TAC-040, would have run various commands to enumerate the local system, network, and Active Directory environment. The threat actor likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives.
TAC-040 exfiltrated a total of around 700 MBs of archived data before the victim took the server offline. However, the threat actor before disconnecting would have dropped a never-before-seen backdoor, called “Ljl Backdoor” onto the compromised server.
The major motif behind the attacks, most likely espionage-related, but also financially motivated which cannot be ruled out, since it said it also spotted a loader for an XMRig crypto miner on the system.
Targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services.
The Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance.
The issue was addressed by Atlassian in June, but this is not the first time since then that unpatched systems get exploited by hackers.
Back in July Microsoft’s Security Intelligence team said it spotted a campaign by TA 8220 targeting i686 and x86_64 Linux systems that used RCE exploits for CVE-2022-26134 and CVE-2019-2725 (Oracle WebLogic) for initial access.
This research was done and documented by Deepwatch Firm