Researchers have discovered a new threat called Effluence, which is a backdoor that exploits recently discovered vulnerabilities in Atlassian Confluence Data Center and Server.
The Effluence malware acts as a permanent backdoor that cannot be removed even after installing Confluence patches. It allows for lateral movement and extraction of data from Confluence. Attackers can access the backdoor remotely, without the need to authenticate to the target system.
The researchers detailed the attack chain, which begins with the exploitation of the CVE-2023-22515 vulnerability in Atlassian. This critical flaw, which was first disclosed in early October, allows for the creation of unauthorized Confluence administrator accounts and access to servers.
Shortly after, a second vulnerability, CVE-2023-22518, was also discovered in Atlassian. This vulnerability also allows attackers to create fake administrator accounts, which could potentially lead to complete data loss and exposure.
In the latest attack analyzed, attackers gained initial access through CVE-2023-22515, after which they implanted a new web shell that provides persistent remote access to all web pages on the server, including the login page without authentication. The web shell, which consists of a loader and payload, is passive, allowing requests to pass through it unnoticed until a request is if matches a certain parameter.
Once this occurs, malicious actions are launched, including creating a new administrative account, executing arbitrary commands on the server, listing, reading, and deleting files, gathering extensive information about the Atlassian environment, and clearing logs to cover up traces of activity.
The loader described above acts as a regular Confluence plugin and is responsible for decrypting and launching the payload. While some of the web shell’s features depend specifically on the Confluence API, the loader and plugin mechanism appear to be based on Atlassian’s common APIs and is potentially applicable to Jira, Bitbucket, and other Atlassian products where an attacker can install the plugin.
This research was documented by researchers from Aon Stroz Friedberg.