This Atlassian Confluence Server backdoor will add malware in every page and can’t be removed

CVE-2023-22515 and CVE-2023-22518 are critical vulnerabilities found in Atlassian Confluence, a widely used team collaboration software.

CVE-2023-22515

  • Description: This vulnerability was discovered in publicly accessible Confluence Data Center and Server instances. Attackers exploited it to create unauthorized Confluence administrator accounts and access Confluence instances. This vulnerability did not affect Atlassian Cloud sites.
  • Severity: It has a critical base score of 9.8 or 10.0, indicating a high level of risk. The vector notation shows that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). It impacts confidentiality, integrity, and availability to a high degree.

CVE-2023-22518

  • Description: This Improper Authorization vulnerability affects all versions of Confluence Data Center and Server. It allows an unauthenticated attacker to reset Confluence and create an administrator account. With this access, the attacker can perform all administrative actions, potentially leading to a complete compromise of confidentiality, integrity, and availability. Similar to CVE-2023-22515, Atlassian Cloud sites are not affected.
  • Severity: The base score is 9.8, classifying it as critically severe. The vector components are similar to CVE-2023-22515, highlighting the vulnerability’s network-based attack vector, low complexity, no required privileges, no user interaction, and significant impact on confidentiality, integrity, and availability .

These vulnerabilities can be particularly dangerous as they can be exploited to plant backdoors in the affected systems. A backdoor is a method of bypassing normal authentication procedures, often secretly installed by an unauthorized user. Once a backdoor is installed, attackers can remotely access and control the affected systems, leading to data theft, espionage, or further network compromise.

Exploiting CVE-2023-22515 and CVE-2023-22518

Attackers can use these vulnerabilities to gain unauthorized administrative access to Confluence. With such access, they can potentially install malicious software or scripts (like web shells) that act as backdoors. These backdoors can remain operational even after the original vulnerability is patched, as they create a separate, hidden access point that is not addressed by the patch.

Aon’s Stroz Friedberg Incident Response Services encountered a novel type of malware named “Effluence,” designed to exploit a vulnerability in Atlassian Confluence. This malware acts as a persistent backdoor, allowing attackers to maintain access to the system even after patches are applied to Confluence. It enables lateral movement across network resources and data exfiltration without requiring authentication to Confluence, making it particularly insidious and hard to detect.

Stroz Friedberg discovered this malware while assisting a client who had a vulnerable Atlassian Confluence Data Center server. The attacker used the vulnerability to gain unauthorized access and embed a unique web shell into the server, allowing them persistent access to all web pages on the server without needing a valid user account. This is distinct from typical web shells, which are usually accessible only if the user is signed into Confluence or if a single webpage has been compromised.

The “Effluence” web shell hijacks the underlying Apache Tomcat webserver, inserting itself between Confluence and Tomcat. This setup makes the malware available on every webpage, including the unauthenticated login page, without altering the webpages or making noticeable changes. It remains undetected until a request matches specific parameters.

The malware consists of two parts: a loader and a payload. The loader disguises itself as a normal Confluence plugin but carries a modified legitimate Java collections class to conceal its malicious payload. The payload, when triggered, hides the plugin among Confluence “System Apps” to avoid detection. This sophisticated approach ensures that the raw Java class is never written to the file system, further complicating detection efforts.

For detection, Stroz Friedberg recommends reviewing web server access logs, especially access to static Confluence pages where the response size varies. This method, however, does not provide clear Indicators of Compromise (IOCs). They also developed a Yara rule to detect the web shell in preserved memory images of the server, which is a more direct approach to identifying the presence of the malware.

Stroz Friedberg also notes that the extent to which this malware affects other Atlassian products is yet to be determined. The plugin and loader mechanism seem to rely on common Atlassian APIs, suggesting the potential applicability of this malware to other Atlassian products like JIRA and BitBucket. The CVE-2023-22515 vulnerability in Atlassian Confluence allows attackers to gain unauthorized access to the administrative areas of the Confluence server. These vulnerabilities is exploited by the “Effluence” backdoor malware. Once this malware is implanted, it acts as a persistent backdoor, meaning it can maintain access to the system even after security patches are applied to Confluence. The reason it can’t be removed via a patch is because the malware embeds itself deeply into the system, between Confluence and the underlying Apache Tomcat webserver, making it available on every webpage and hard to detect. Patches typically address the initial vulnerability but may not remove malware that has already exploited that vulnerability and established a deeper presence in the system.

This case exemplifies the continuously evolving nature of cyber threats and underscores the need for organizations to maintain vigilance, employ robust detection methods, and regularly update their cybersecurity strategies to counter such sophisticated attacks.