November 14, 2023 at 06:03AM
A new backdoor has been discovered in organizations’ environments, exploiting a critical vulnerability in Atlassian Confluence. The backdoor allows attackers remote access to a victim’s Confluence server and other network resources. It persists even after Confluence patches are applied. The malware responsible, called Effluence, is difficult to detect. Organizations are advised to thoroughly investigate and review installed plugins for malicious activity. Effluence doesn’t leave behind any indicators of compromise, making detection and remediation challenging. The advisory also includes a Yara rule to detect Effluence use. It is uncertain if the malware is applicable to other Atlassian products.
From the meeting notes, here are the key takeaways:
1. A new backdoor called Effluence has been discovered in organizations’ environments, taking advantage of a critical vulnerability in Atlassian Confluence.
2. The backdoor allows attackers to gain remote access to the victim’s Conflunce server and other network resources, even after patches have been applied.
3. Atlassian released patches on October 31 and urged customers to apply them immediately due to the vulnerability being exploited since November 8.
4. Effluence is a difficult-to-detect malware, and organizations using Confluence servers are advised to thoroughly investigate even if the patch has been applied.
5. The web shell is implanted differently than usual, with Effluence inserted between Apache Tomcat webserver and Confluence, making it accessible on every web page.
6. Effluence has various capabilities, including creating admin accounts, running commands, deleting and editing files, deploying additional plugins, changing passwords, and logging credentials.
7. Detecting and remediating Effluence installations require manual review by defenders, including reviewing installed plugins for malicious activity.
8. Effluence does not leave behind indicators of compromise (IOCs), but evidence may be found when reviewing static Confluence pages or monitoring response size compared to the organization’s baseline range.
9. A Yara rule is provided in the advisory to detect Effluence usage in the preserved memory image.
10. The extent of Effluence’s applicability to other Atlassian products has not been thoroughly tested, but the plugin and loader mechanism may potentially be used on JIRA, BitBucket, or other Atlassian products where an attacker can install the plugin.