Trend Micro is aware of a new critical vulnerability advisory that was issued on June 2, 2022, regarding a new unauthenticated remote code execution (RCE) vulnerability on the widely used Atlassian Confluence Server and Data Center that is being exploited in the wild. This vulnerability has been designated as CVE-2022-26134.
Atlassian has now released official fixed versions, and Trend Micro is currently researching methods of protection and/or post-exploitation investigation tools that could potentially help.
Protection Against ExploitationFirst and foremost, it is always highly recommended that users apply the vendor's patches when they become available. Please see the official advisory for more information and the official fixes that are now available.
Atlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.
According to Atlassian's advisory, at the moment administrators are recommended to consider one of the following options if they cannot yet apply the official fixed version:
- Restricting access to Confluence Servers and Data Center instances from the internet;
- Completely disabling the instances if they can not be restricted; or
- Temporarily direct replacement of key .jar files have been added to the official Confluence advisory as a mitigation step
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
According to a Volexity blog (the researchers who originally discovered the vulnerability and reported it) there was evidence of a custom File Upload Webshell that was dropped in the case that they observed and then replaced by a Chopper Webshell. The Webshells in question are detected as:
- The Chopper Webshell (80b327ec19c7d14cc10511060ed3a4abffc821af) is detected by Trend Micro anti-malware (VSAPI) as TROJ_FRS.0NA103CQ21 and Backdoor.JS.CHOPPER.G
- The file upload Webshell (4c02c3a150de6b70d6fca584c29888202cc1deef) is detected as Backdoor.HTML.WEBSHELL.EQXA.
In addition, there is a list of IP addresses provided as IOCs here that are suspected to be involved with interaction with the webshell. Trend Micro's Web Reputation Services (WRS) team is currently analyzing each of these IPs and will add them to our blocking if necessary. Due to the nature of some of these IPs (they could be legitimately shared VPN or other public IPs) - some may not be blocked initially. The link to the unfiltered list from Volexity is being provided for administrators who wish to manually block IPs on their own in the meantime and Trend Micro cannot yet confirm all of the IPs on this list are indeed malicious.
Trend Micro Cloud One - Network Security & TippingPoint ThreatDV Malware Protection Filters
- Filter 32892: OGNL Entity Usage in an HTTP URI
Trend Micro Cloud One - Workload Security & Deep Security IPS Rules
- Rule 1011456: Atlassian Confluence And Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
Trend Micro Cloud One - Workload Security & Deep Security Log Inspection
- LI Rule 1011455: Atlassian Confluence And Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
Trend Micro Deep Discovery Inspector (DDI) Network Content Inspection Rules
- Rule 4694: HTTP_OGNL_RCE_EXPLOIT_REQUEST
Using Trend Micro Products for InvestigationThe following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Micro Vision One™
Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.
Utilizing Observed Attack Techniques (OAT)
Trend Micro Vision One customers that use Trend Micro endpoint and server protection products may also go into the Observed Attack Techniques section of the Trend Micro Vision One console to look for suspicious activity that may indicate the detection of malicious behavior associated with this threat.
In the case of the Atlassian-Confluence vulnerability (CVE-2022-26134), which is a Java based web application, it will detect if an adversary exploit is attempting to utilize this vulnerability and try to execute by using a Linux Shell, as explained in this article.