- In line with USCYBERCOM’s warning, publicly available Confluence exploit scripts are being integrated into opportunistic attackers’ toolkits.
- Muhstik, a known threat actor targeting cloud and IoT, is one of these opportunistic attackers targeting vulnerable Confluence servers to spread their botnet.
- Lacework Labs observed bash droppers with zero detections on VirusTotal being used in conjunction with CVE 2021-26084.
Early on Sept. 3, 2021, the USCYBERCOM Twitter account alerted followers to urgently patch Atlassian Confluence CVE-2021-26084 before the labor-day holiday weekend, citing mass exploitation. Since that warning, the Lacework Labs Team has observed a number of exploit attempts using the publicly available exploit code. This blog details the malware, architecture, and infrastructure used in these attacks.
Execution Flow Analysis
Publicly available exploit scripts reportedly emerged less than a week following the announcement of CVE-2021-26084 on Aug. 25, 2021. These scripts enable the attacker to gain shell access on the remote server. Simple modifications to this script enabled opportunistic attackers to take a “spray and pray” approach, attempting to spread their malware to several hosts as quickly as possible. Initial execution was achieved via a specially crafted HTTP post request to a vulnerable instance of Confluence.
On Sept. 4, the following exploit traffic was observed in Lacework honeypots originating from IPs 22.214.171.124 (ASN 8866 Viacom) & 126.96.36.199 (ASN 3329 Vodafone-panafon Hellenic Telecommunications Company SA). Lacework Labs first observed IP 188.8.131.52 on July 16, in Redis scanning activity against port 6379. IP 184.108.40.206, and also previously observed in mid-August performing curl requests on port 80.
Figure 1. Honeypot traffic
After the initial execution of the CVE-2021-26084 payload, a wget or curl command was executed to download conf2 from 220.127.116.11. This file contained additional download commands for dk86, dk32, and ldm payloads, in addition to changing default iptables policies to be ACCEPT and flushing any existing rules. This behavior can be observed in Figure – 1 below.
Figure 2. conf Dropper
The dk86 and dk32 ELF binaries were packed with a custom UPX utility and have hardcoded string references to Anime. This aligns to a threat actor group Lacework Labs has previously reported on, Muhstik. Muhstik leveraged well known vulnerabilities in web applications to expand their IoT botnet. Given previous behavior by this actor, it appears the latest Confluence vulnerability is another target on their list.
Figure 3 – Anime String References in Muhstik
The ldm script hosted on a separate server than conf2 and dk86/dk32 was a more advanced dropper script that performed the following tasks:
- Established persistence via crontab (T1053.003)
- Established persistence via dropped ssh key (T1098.004)
- Attempt lateral movement via existing ssh keys, users and host entries in ~/.ssh/known_hosts (T1021.004)
- Downloaded additional dropper scripts for pty payloads. (T1059.004)
- Download additional payloads from .onion sites
Figure 4 – Download Script: x3.sh
Figure 5 – Multi Architecture
The entire execution workflow can be seen in Figure 6 below.
Figure 6 – Confluence RCE Overview
The pty binaries identified within this campaign are IRC bots that appear to be modified versions of Tsunami/Katien. All of the identified binaries include modification of the UPX header to prevent easy unpacking via the upx utility. These binaries can be patched by replacing the custom header bytes (0a 00 00 00) with the bytes for the valid UPX! header (55 50 58 21). A script for patching these files is available in the Lacework Labs Github repository. After patching the upx utility can be used to unpack these binaries.
The pty IRC bots are compiled for numerous architectures including ARM, MIPS, x86, and x64. All of the pty IRC bots are statically compiled, while a subset are compiled with OpenSSL drastically increasing the file size. The main functionality of the IRC bots includes DoS commands for various protocols, as well as ssh brute forcing and raw sh command execution. This functionality can be seen in the bot’s help menu listed below.
Figure 7 – Bot’s help menu
In conjunction with the HTTP flooding and brute force attacks, multiple hard coded usernames, passwords, and user-agent strings are embedded within the binaries. The image below shows embedded User-Agent strings identified within the x86 pty IRC bot variant.
Figure 8 – Embedded User-Agents
Each pty sample contains a single byte XOR (key 0x22) encrypted configuration section, which contains the domains/IPs the IRC bots connect to. All variants contained the same decoded configuration:
"irc.de-za" "listening tun0 "18.104.22.168 "22.214.171.124 "126.96.36.199 "188.8.131.52 "184.108.40.206 "220.127.116.11 "18.104.22.168 "22.214.171.124 "126.96.36.199 "i.l33t-ppl.info "i.de-zahlung.eu "i.deutschland-zahlung.net "i.shadow-mods.net "i.deutschland-zahlung.eu "/proc/ "/exe "/status "/fd "\x58\x4D\x4E\x4E\x43\x50\x46\x22 "zollard "muhstik-11052018 "eth1 "lan0 "eth0 "inet0 "lano
Most of the IPs in the observed configuration have links to previously observed Muhstik domains, while others do not. The following tables show these hosts along with historic passive DNS resolutions.
|IP||ASN||country||Domains from passive DNS|
|188.8.131.52||63949:”Linode, LLC”||United States||li250-191.members.linode.com
|184.108.40.206||43513:”Sia Nano IT”||Latvia||x.fd6fq54s6df541q23sdxfg.eu
|220.127.116.11||56851:”PE Skurykhin Mukola Volodumurovuch”||Ukraine||vaua0055033.online-vm.com|
|18.104.22.168||47583:”Hostinger International Limited”||Germany||amaismarket.com.br
|22.214.171.124||52175:”Magellan Telecom Kuzbass Ltd.”||Russia||emsib.ru
Also, according to passive DNS, the domains in the configuration with the ‘i’ subdomains have never been resolved to any hosts. However, some of these have additional subdomains worth noting.
While origins of the vulnerability have not been officially confirmed, Confluence did release a security advisory detailing the specifics. The advisory notes Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are affected by this vulnerability. Confluence Cloud versions of the products are not vulnerable. The vulnerability ultimately allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance, providing a prime opportunity for opportunistic and targeted attackers as an entry point into target networks. Some additional background also may be found in an outside vulnerability research blog describing the original bug reporting effort.
Some recommended actions:
- Follow the official Confluence advisory for the most current technical recommendations, including patching and configuration updates.
- If your organization was vulnerable over the weekend, perform an incident response effort to evaluate any potential compromise with the help of this blog and IOCs below.
|126.96.36.199||Conf2 dropper Hosting Site|
|188.8.131.52||Ldm Malware staging|
|184.108.40.206||Hosting pty payloads|