August 30, 2024 at 05:13AM
Trend Micro researchers discovered an attack exploiting the CVE-2023-22527 vulnerability in older Atlassian Confluence versions, deploying an in-memory fileless backdoor called Godzilla webshell. The backdoor, developed by “BeichenDream,” evades detection with AES encryption and remains in-memory. The attack highlights the importance of regularly patching servers and using advanced security solutions.
Based on the meeting notes, the key takeaways are:
1. A new attack vector exploiting the vulnerability CVE-2023-22527 in older versions of Atlassian Confluence Data Center and Server has been discovered. This attack deploys an in-memory fileless backdoor known as the Godzilla webshell.
2. This Godzilla backdoor is a sophisticated Chinese-language backdoor that uses AES encryption for communication and remains in-memory to avoid disk-based detection mechanisms.
3. Legacy anti-virus solutions struggle to detect fileless malware, highlighting the importance of regularly patching servers and using more advanced security solutions.
4. The vulnerability CVE-2023-22527 is marked critical with a Common Vulnerability Scoring System (CVSS) score of 10, allowing unauthenticated attackers to perform remote code execution.
5. The attack begins with the exploitation of CVE-2023-22527 using velocity.struts2.context to execute OGNL object, allowing the attacker to create a backdoor for unauthorized access.
6. The Godzilla webshell is a backdoor designed to provide unauthorized access, featuring methods such as dynamic class loading and injecting a custom valve into the Tomcat pipeline.
In summary, the meeting notes provide crucial insights into a significant security risk posed by the exploitation of CVE-2023-22527 through a sophisticated in-memory fileless backdoor attack. It emphasizes the need for organizations to promptly patch their servers and implement advanced security solutions to mitigate the risks associated with this type of attack. Additionally, the meeting notes highlight technical details and potential indicators of compromise for security monitoring and threat detection.