[MART] - Daily Diary #528 - Linux Botnets Exploting Recent Atlassian's Confluence RCE

CTAS-MAT ctas-mat at appgate.com
Wed Jun 8 23:13:58 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/08/2022 - Diary entry #528:

Recently on May 31, 2022, a new vulnerability was discovered on Atlassian's Confluence Server and Data Center. Tracked under CVE-2022-26134, it's a critical vulnerability that allows unauthenticated RCE (Remote Code Execution) on the affected servers.

This new vulnerability was discovered after suspicious activities were detected in Confluence servers by a security vendor and the IOCs suggest that the exploit was in use by multiple threat actors from China. After successfully exploiting it, the attackers deployed in-memory webshells using an open-source project known as Behinder.

Most recently, three Botnets were spotted exploiting the CVE-2022-26134. Known as Kinsing, Hezb, and Dark.IoT, they are known for deploying backdoors (such as Cobalt Strike beacons) and crypto miners on Linux servers by leveraging vulnerabilities to gain initial access.

After it was disclosed, the vulnerability received a security fix one day later. Time enough for threat actors to start using it in their campaigns, especially after proof-of-concept (PoC) exploits were published online. Therefore, we recommend every organization using the affected products apply the latest patches and look for suspicious activities in the last days if their vulnerable servers were exposed to the internet.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220608/4bfcec36/attachment.htm>

More information about the MART mailing list