Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    ‘Effluence’ Backdoor Persists Despite Patching Atlassian Confluence Servers

    justmattgBy justmattgNovember 12, 2023No Comments2 Mins Read

    [ad_1]

    Nov 10, 2023NewsroomCyber Attack / Threat Intelligence

    Atlassian Confluence Servers

    Cybersecurity researchers have discovered a stealthy backdoor named Effluence that’s deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.

    “The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence,” Aon’s Stroz Friedberg Incident Response Services said in an analysis published earlier this week.

    “The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence.”

    Cybersecurity

    The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.

    Atlassian has since disclosed a second flaw known as CVE-2023-22518 (CVSS score: 10.0) that an attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability.

    What makes the latest attack stand out is that the adversary gained initial access via CVE-2023-22515 and embedded a novel web shell that grants persistent remote access to every web page on the server, including the unauthenticated login page, without the need for a valid user account.

    The web shell, made up of a loader and payload, is passive, allowing requests to pass through it unnoticed until a request matching a specific parameter is provided, at which point it triggers its malicious behavior by executing a series of actions.

    This comprises creating a new admin account, purging logs to cover up the forensic trail, running arbitrary commands on the underlying server, enumerating, reading, and deleting files, and compiling extensive information about the Atlassian environment.

    Cybersecurity

    The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload.

    “Several of the web shell functions depend on Confluence-specific APIs,” security researcher Zachary Reichert said.

    “However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleMicrosoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers
    Next Article Iran-Linked Imperial Kitten Cyber Group Targeting Middle East’s Tech Sectors
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑