Update on CVE-2023-22527- Trend Micro Reports Stealthy Backdoor Targets Unpatched Confluence Servers

On August 30, 2024, Trend Micro published a critical technical analysis unveiling attacks on outdated Atlassian Confluence versions affected by CVE-2023-22527. This vulnerability, assigned a CVSS score of 10, allows unauthenticated attackers to exploit a template injection flaw in older versions of Confluence Data Center and Server, enabling remote code execution (RCE) on affected instances.

Trend Micro researchers detailed a new attack vector leveraging this vulnerability to deploy a sophisticated memory-resident fileless backdoor known as the Godzilla webshell. This stealthy approach significantly elevates the threat level, as it enables attackers to maintain persistence while evading traditional detection methods. The discovery underscores the urgent need for organizations to patch their Confluence servers and implement advanced security measures to counter such evolving threats.

Summary of the Vulnerability

CVE-2023-22527 is a critical security flaw in Atlassian Confluence that poses a significant risk to organizations using affected versions of the software. Here's a detailed breakdown of the vulnerability:

The vulnerability stems from improper handling of user-supplied input in certain template files, particularly in the /confluence/template/aui/text-inline.vm endpoint. This flaw allows an unauthenticated attacker to exploit a template injection vulnerability, potentially leading to remote code execution on the affected Confluence instance.

The root cause appears to be related to the $stack.findValue function, which directly processes input from the request's label parameter without adequate sanitization. This oversight enables attackers to break out of the getText function call and inject malicious Object-Graph Navigation Language (OGNL) expressions, opening the door for remote code execution.

Affected Versions

Organizations using these versions are strongly advised to update to the patched versions (8.5.4 or later) immediately to mitigate the risk.

Exploitation Process

Before delving into the exploitation process, it's crucial to understand the key components involved:

Object-Graph Navigation Language (OGNL) is an expression language utilized for manipulating Java objects. Widely employed in web applications for server-side template creation, OGNL has been associated with notable security vulnerabilities, particularly in frameworks like Apache Struts.

Template Injection vulnerabilities arise when user-supplied input is inadequately sanitized in template engines. This oversight allows attackers to inject and execute malicious code within the template processing context, potentially leading to severe security breaches.

The Godzilla Webshell is an advanced, Chinese-language in-memory backdoor developed by "BeichenDream." Designed to evade detection during red team operations, it employs Advanced Encryption Standard (AES) encryption for network communications, significantly complicating detection through conventional security measures.

Exploitation Process

Trend Micro's comprehensive analysis reveals a sophisticated, multi-stage attack process exploiting CVE-2023-22527. Here you see the short summary of the exploitation process.

Fig: Attack Chain 

Initial Access Vector The attacker initiates the exploit by targeting CVE-2023-22527, leveraging velocity.struts2.context to execute OGNL objects. This is achieved through a carefully crafted malicious request that exploits the template injection vulnerability in the Confluence server.

Fig: Malicious request

Payload Delivery Mechanism The attack progresses with the evaluation of JavaScript code via ScriptEngineManager. This code is responsible for loading a Base64-encoded payload, which resolves to an anonymous Java class named MemGodValueShell.

Fig: The MemGodValueShell function

Loader Deployment and Execution The MemGodValueShell class serves as a sophisticated loader. It employs Java reflection techniques to navigate the server's internal architecture, retrieve the StandardContext object, and prepare the environment for the subsequent deployment of the Godzilla webshell.

Godzilla Webshell Injection In this critical phase, the loader decodes and loads the Godzilla webshell (GodzillaValue class) directly into memory. This class, extending ValveBase, functions as a custom Tomcat valve, allowing it to intercept and process HTTP requests covertly.

Fig: Godzilla class

Persistence and Evasion Tactics The Godzilla webshell maintains its presence exclusively in memory, leaving no artifacts on the disk. This memory-resident approach, combined with AES encryption for all communications, significantly enhances its ability to evade detection through conventional network traffic analysis.

Command and Control Once established, the webshell enters a waiting state, anticipating encrypted commands from the attacker. Upon receipt, these commands are decrypted, and executed within the compromised environment, and the results are re-encrypted before transmission back to the attacker.

This meticulously engineered attack chain exemplifies the evolving sophistication of threat actors. By combining the exploitation of known vulnerabilities with advanced evasion techniques, attackers can compromise and maintain persistent access to Atlassian Confluence servers while minimizing the risk of detection. Please refer to the detailed technical analysis from the original post.

Mitigation Strategies

To safeguard Confluence servers against this sophisticated attack, organizations should adopt a multi-layered defense approach. Immediate patching to Confluence version 8.5.4 or later is crucial. Block IOCs. Implement network segmentation and deploy a Web Application Firewall (WAF) to filter malicious traffic. Conduct regular security audits and vulnerability assessments. Invest in advanced Endpoint Detection and Response (EDR) solutions capable of identifying fileless malware. Employ intrusion detection systems and analyze network traffic for suspicious patterns. Adhere to the principle of least privilege by restricting user permissions and removing unnecessary integrations. Maintain up-to-date, offline backups for rapid recovery in case of compromise. This comprehensive strategy combines proactive measures with robust detection and response capabilities.

Hunting Query

Hunting query if Atlassian Java executed commands:

(eventSubId:2 AND processCmd:atlassian AND parentCmd:atlassian AND parentCmd:java AND (objectName:*\\Windows\\System32\\* OR objectName:*bin/*))

Indicators of Compromise (IOC)

MITRE ATT&CK Techniques

MITRE D3FEND

We hope this post helps understand how attackers abusing the CVE-2023-22527 vulnerability to compromise unpatched Confluence Servers. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.

You may also like these articles: