November 10, 2023 at 04:03AM
Researchers have discovered a stealthy backdoor called Effluence that exploits a security flaw in Atlassian Confluence Data Center and Server. The backdoor allows attackers to move laterally within the network and exfiltrate data. It can be accessed remotely without authenticating to Confluence. The attack chain involves exploiting two critical bugs that allow unauthorized administrator accounts and complete loss of confidentiality, integrity, and availability. The attacker gains persistent remote access through a web shell that triggers malicious behavior. The web shell functions depend on Confluence-specific APIs but can also potentially be applied to other Atlassian products.
Key Takeaways from the Meeting Notes:
1. A new backdoor named Effluence has been discovered after the exploitation of a security flaw in Atlassian Confluence Data Center and Server.
2. Effluence acts as a persistent backdoor and cannot be patched by applying fixes to Confluence.
3. Attackers can access the backdoor remotely without authenticating to Confluence.
4. The attack chain involves exploiting CVE-2023-22515 and CVE-2023-22518 to create unauthorized Confluence administrator accounts.
5. The latest attack featured a web shell that provided persistent remote access to all web pages on the server, including the unauthenticated login page.
6. The web shell can perform various malicious activities, such as creating new admin accounts, deleting files, and gathering information about the Atlassian environment.
7. The loader component of the web shell acts as a normal Confluence plugin and can potentially be used in other Atlassian products.
Please let me know if you need any further information or if there is anything else I can assist you with.