Muhstik Takes Aim at Confluence CVE 2021-26084
Key Takeaways
- In line with USCYBERCOM’s warning, publicly available Confluence exploit scripts are being integrated into opportunistic attackers’ toolkits.
- Muhstik, a known threat actor targeting cloud and IoT, is one of these opportunistic attackers targeting vulnerable Confluence servers to spread their botnet.
- Lacework Labs observed bash droppers with zero detections on VirusTotal being used in conjunction with CVE 2021-26084.
Background
Early on Sept. 3, 2021, the USCYBERCOM Twitter account alerted followers to urgently patch Atlassian Confluence CVE-2021-26084 before the labor-day holiday weekend, citing mass exploitation. Since that warning, the Lacework Labs Team has observed a number of exploit attempts using the publicly available exploit code. This blog details the malware, architecture, and infrastructure used in these attacks.
Execution Flow Analysis
Publicly available exploit scripts reportedly emerged less than a week following the announcement of CVE-2021-26084 on Aug. 25, 2021. These scripts enable the attacker to gain shell access on the remote server. Simple modifications to this script enabled opportunistic attackers to take a “spray and pray” approach, attempting to spread their malware to several hosts as quickly as possible. Initial execution was achieved via a specially crafted HTTP post request to a vulnerable instance of Confluence.
On Sept. 4, the following exploit traffic was observed in Lacework honeypots originating from IPs 213.16.63.201 (ASN 8866 Viacom) & 62.38.35.226 (ASN 3329 Vodafone-panafon Hellenic Telecommunications Company SA). Lacework Labs first observed IP 213.16.63.201 on July 16, in Redis scanning activity against port 6379. IP 62.38.35.226, and also previously observed in mid-August performing curl requests on port 80.