About Us Leadership Investors Careers Events
Contact
English
Français
Deutsch
Platform
Environments
Technology
Back
Polygraph® Data Platform
Data-driven protection from code to cloud, all in one place
CNAPP Cloud-Native Application Protection Platform Secure across the entire application lifecycle IaC Infrastructure as Code Security Fix misconfigurations at the earliest possible point K8s Kubernetes Security Find risks and threats in your K8s clusters Container Security Visibility into complex host and container activity
CSPM Cloud Security Posture Management Assess risks and optimize your cloud security posture CWPP Cloud Workload Protection Platform Monitor workloads continuously for threats Vulnerability Management Find and fix vulnerabilities in build time and runtime Cloud Compliance Streamline audits to meet industry standards
Back
Amazon Web Services (AWS) Simplify security for Amazon Web Services Google Cloud Automate security for Google Cloud
Microsoft Azure Continuously secure Microsoft Azure apps Multicloud Protection across multicloud and hybrid
Back
Data Ingestion See more with combined agentless and agent-based approach Integrations Supercharge productivity by integrating with your existing workflows
Polygraph®: Behavioral Analytics Engine Automatically find and know your normal with our patented machine-learning technology
Watch Demo
Solutions
User Role
Back
Healthcare and HealthTech Protect healthcare data and demonstrate HIPAA compliance Gaming Secure player data while speeding game development
Financial Services and FinTech Prevent cybercrime with safe financial transactions Cloud Security for Startups Automate processes to accelerate small business growth
Back
Security Pinpoint cloud issues, with rich context to act fast
Developer Build faster with continuous security and deep visibility
Watch Demo
Customers

Our Customers

Lacework is trusted by the most innovative companies across the globe.

Explore Success Stories
Customer Success
Customer Support
Pocket Gems protects customer data and improves vulnerability detection

Pocket Gems protects customer data and improves vulnerability detection

Read the Case Study
Watch Demo
Partners

Lacework Partner Program

We are helping our partners build successful and profitable cloud security practices to help meet the adoption of cloud.

Learn More
Channel Partners
Strategic Alliances
Get insights into the current ransomware landscape and best practices to reduce your risk.

Get insights into the current ransomware landscape and best practices to reduce your risk.

Learn more
Watch Demo
Resources

Resources

Learn about Lacework’s modern approach to cloud security with Blogs, Case Studies, Videos, eBooks, Webinars, and White Papers.

Explore Resources Library
Resources & Insights
Training & Documentation
Walking the Line: GitOps and Shift Left Security

Walking the Line: GitOps and Shift Left Security

Read Full Study
Watch Demo
Blog

Muhstik Takes Aim at Confluence CVE 2021-26084

Lacework Labs
6 min read Research
Learn more about how Lacework secures from code to cloud

Learn more about how Lacework secures from code to cloud

Access guided tours & demos

 

Key Takeaways

  • In line with USCYBERCOM’s warning, publicly available Confluence exploit scripts are being integrated into opportunistic attackers’ toolkits.
  • Muhstik, a known threat actor targeting cloud and IoT, is one of these opportunistic attackers targeting vulnerable Confluence servers to spread their botnet.
  • Lacework Labs observed bash droppers with zero detections on VirusTotal being used in conjunction with CVE 2021-26084.

 

Background

Early on Sept. 3, 2021, the USCYBERCOM Twitter account alerted followers to urgently patch Atlassian Confluence CVE-2021-26084 before the labor-day holiday weekend, citing mass exploitation. Since that warning, the Lacework Labs Team has observed a number of exploit attempts using the publicly available exploit code. This blog details the malware, architecture, and infrastructure used in these attacks.

 

Execution Flow Analysis

Publicly available exploit scripts reportedly emerged less than a week following the announcement of CVE-2021-26084 on Aug. 25, 2021. These scripts enable the attacker to gain shell access on the remote server. Simple modifications to this script enabled opportunistic attackers to take a “spray and pray” approach, attempting to spread their malware to several hosts as quickly as possible. Initial execution was achieved via a specially crafted HTTP post request to a vulnerable instance of Confluence.

On Sept. 4, the following exploit traffic was observed in Lacework honeypots originating from IPs 213.16.63.201 (ASN 8866 Viacom) & 62.38.35.226 (ASN 3329 Vodafone-panafon Hellenic Telecommunications Company SA). Lacework Labs first observed IP 213.16.63.201 on July 16, in Redis scanning activity against port 6379. IP 62.38.35.226, and also previously observed in mid-August performing curl requests on port 80.

  

Figure 1. Honeypot traffic

After the initial execution of the CVE-2021-26084 payload, a wget or curl command was executed to download conf2 from 194.31.52.174. This file contained additional download commands for dk86, dk32, and ldm payloads, in addition to changing default iptables policies to be ACCEPT and flushing any existing rules. This behavior can be observed in Figure – 1 below.

  

Figure 2. conf Dropper

 

The dk86 and dk32 ELF binaries were packed with a custom UPX utility and have hardcoded string references to Anime. This aligns to a threat actor group Lacework Labs has previously reported on, Muhstik. Muhstik leveraged well known vulnerabilities in web applications to expand their IoT botnet. Given previous behavior by this actor, it appears the latest Confluence vulnerability is another target on their list.

 

  

Figure 3 – Anime String References in Muhstik

The ldm script hosted on a separate server than conf2 and dk86/dk32 was a more advanced dropper script that performed the following tasks:

  • Established persistence via crontab (T1053.003)
  • Established persistence via dropped ssh key (T1098.004)
  • Attempt lateral movement via existing ssh keys, users and host entries in ~/.ssh/known_hosts (T1021.004)
  • Downloaded additional dropper scripts for pty payloads. (T1059.004)
  • Download additional payloads from .onion sites
  

Figure 4 – Download Script: x3.sh

  

Figure 5 – Multi Architecture

The entire execution workflow can be seen in Figure 6 below.

 

  

Figure 6 – Confluence RCE Overview

 

Bot Analysis

The pty binaries identified within this campaign are IRC bots that appear to be modified versions of Tsunami/Katien. All of the identified binaries include modification of the UPX header to prevent easy unpacking via the upx utility. These binaries can be patched by replacing the custom header bytes (0a 00 00 00) with the bytes for the valid UPX! header (55 50 58 21). A script for patching these files is available in the Lacework Labs Github repository. After patching the upx utility can be used to unpack these binaries.

The pty IRC bots are compiled for numerous architectures including ARM, MIPS, x86, and x64. All of the pty IRC bots are statically compiled, while a subset are compiled with OpenSSL drastically increasing the file size. The main functionality of the IRC bots includes DoS commands for various protocols, as well as ssh brute forcing and raw sh command execution. This functionality can be seen in the bot’s help menu listed below.

 

  

Figure 7 – Bot’s help menu

 

In conjunction with the HTTP flooding and brute force attacks, multiple hard coded usernames, passwords, and user-agent strings are embedded within the binaries. The image below shows embedded User-Agent strings identified within the x86 pty IRC bot variant.

  

Figure 8 – Embedded User-Agents

 

Each pty sample contains a single byte XOR (key 0x22) encrypted configuration section, which contains the domains/IPs the IRC bots connect to. All variants contained the same decoded configuration: 

 

 



"irc.de-za"
"listening tun0
"165.22.217.181
"162.249.2.189
"185.62.137.56
"68.66.253.100
"46.149.233.35
"185.61.149.22
"45.132.242.233
"173.255.240.191
"31.131.24.229
"i.l33t-ppl.info
"i.de-zahlung.eu
"i.deutschland-zahlung.net
"i.shadow-mods.net
"i.deutschland-zahlung.eu
"/proc/
"/exe
"/status
"/fd
"\x58\x4D\x4E\x4E\x43\x50\x46\x22
"zollard
"muhstik-11052018
"eth1
"lan0
"eth0
"inet0
"lano




 


Most of the IPs in the observed configuration have links to previously observed Muhstik domains, while others do not. The following tables show these hosts along with historic passive DNS resolutions.


 


IPASNcountryDomains from passive DNS
162.249.2.18955293:”A2HOSTING”United Statesead.fflyy.su

grand.fflyy.su

dead.fflyy.su

postmaster.fflyy.su

kei.su

w.deutschland-zahlung.eu

fucks.fflyy.su

wireless.kei.su

irc.de-zahlung.eu

fflyy.su

butt.fflyy.su

paypal.com-nl-cgi-bin-webscr-cmd-verify-submit.fflyy.su

wired.kei.su
165.22.217.18114061:”DIGITALOCEAN-ASN”Indiapokemoninc.com

irc.deutschland-zahlung.net

www.ancianossupervisados.com

server1.pokemoninc.com

xxx.pokemoninc.com

api.mahasarkar.co.in

nctbsolution.com

irc.de-zahlung.eu

pex.pokemoninc.com

proceso.pokemoninc.com

netexplanations.com

app.mahasarkar.co.in

m.mahasarkar.co.in

www.netexplanations.com

ancianossupervisados.com

televisa.pokemoninc.com

jorgee3.pokemoninc.com

dns5.name-services.com.pokemoninc.com

shit.pokemoninc.com

aid.pokemoninc.com

answergyaan.in

ftp.pokemoninc.com

romero.pokemoninc.com

mail.pokemoninc.com

server.mahasarkar.co.in

bnet.pokemoninc.com
173.255.240.19163949:”Linode, LLC”United Statesli250-191.members.linode.com

irc.de-zahlung.eu
185.61.149.2243513:”Sia Nano IT”Latviax.fd6fq54s6df541q23sdxfg.eu

irc.de-zahlung.eu

irc.deutschland-zahlung.net
185.62.137.5655293:”A2HOSTING”United Statesjaygame.net

irc.de-zahlung.eu
31.131.24.22956851:”PE Skurykhin Mukola Volodumurovuch”Ukrainevaua0055033.online-vm.com
45.132.242.23347583:”Hostinger International Limited”Germanyamaismarket.com.br

ns1.amaismarket.com.br

webmail.clinicaajudaanimal.com.br

_dc-mx.d88c97daf3cd.comercionarede.com.br

exposedbotnets.ru

bcjservice.com.br

mail.espartana.com.br

ftp.tudodearte.com.br

clinicaajudaanimal.com.br
46.149.233.3552175:”Magellan Telecom Kuzbass Ltd.”Russiaemsib.ru

host233-35.mgtelecom.ru
68.66.253.10055293:”A2HOSTING”United Statesirc.de-zahlung.eu

uranus.kei.su


 


Also, according to passive DNS, the domains in the configuration with the ‘i’ subdomains have never been resolved to any hosts. However, some of these have additional subdomains worth noting.


    

  • edsux.i.shadow-mods.net
    • 

  • hacku.i.shadow-mods.net
    • 

  • irc.i.shadow-mods.net
    • 

  • xmr.i.shadow-mods.net
    • 

  • goahead.i.deutschland-zahlung.eu
    • 

  • tomato.i.deutschland-zahlung.eu
    • 

  • irc7.i.shadow-mods.net
    • 

  • dasan.i.deutschland-zahlung.eu
    • 

  • l33t.i.shadow-mods.net
    • 



 


Recommended Actions


While origins of the vulnerability have not been officially confirmed, Confluence did release a security advisory detailing the specifics. The advisory notes Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are affected by this vulnerability. Confluence Cloud versions of the products are not vulnerable. The vulnerability ultimately allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance, providing a prime opportunity for opportunistic and targeted attackers as an entry point into target networks. Some additional background also may be found in an outside vulnerability research blog describing the original bug reporting effort.


Some recommended actions:


    

  • Follow the official Confluence advisory for the most current technical recommendations, including patching and configuration updates.
    • 

  • If your organization was vulnerable over the weekend, perform an incident response effort to evaluate any potential compromise with the help of this blog and IOCs below.
    • 



 


Indicators


 


IOCsContext
213.16.63.201Exploit source
62.38.35.226Exploit source
bvprzqhoz72jltin.onionC2
bvprzqhoz72jltin.tor2web.suC2
bvprzqhoz72jltin.onion.lyC2
bvprzqhoz72jltin.onion.wsC2
194.31.52.174Conf2 dropper Hosting Site
18.235.127.50Ldm Malware staging
32.221.40.237Hosting pty payloads
a91dffe65048e39dfe1fd8da0b0dac11807718cdd5efedf4206a18af78779b0aFile: conf2
b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a77834.221.40.237/.x/pty8
2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec34.221.40.237/.x/pty9
c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c679934.221.40.237/.x/pty4
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b34.221.40.237/.x/pty10
a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce34.221.40.237/.x/pty3
b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c034.221.40.237/.x/1sh
6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c0534.221.40.237/.x/pty6
e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f8034.221.40.237/.x/pty1
63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a934.221.40.237/.x/pty11
715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f734.221.40.237/.x/pty2
c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e4034.221.40.237/.x/pty7
19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d34.221.40.237/.x/pty5
5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f2834.221.40.237/.x/3sh
0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049194.31.52.174/dk86
fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0194.31.52.174/dk32
39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f9812918.235.127.50/ldm


 


 

Suggested for you

Achieving SOC 2 compliance with Lacework
Blog March 23, 2022

Achieving SOC 2 compliance with Lacework

Read Blog
Elevate your cloud security knowledge with Lacework Academy & Community
Blog March 8, 2022

Elevate your cloud security knowledge with Lacework Academy & Community

Read Blog
Blog March 8, 2023

Secured by Women: Why we’re celebrating brilliant women in cybersecurity

Read Blog