March 8, 2024 at 11:56AM
New proof-of-concept exploits are targeting the Atlassian Confluence Data Center and Confluence Server flaw, allowing attackers to execute code within Confluence’s memory without leaving a trace on the file system. Vulnerability CVE-2023-22527 has become a hub of malicious activity, with 30 unique in-the-wild exploits, including the use of the “infamous” Godzilla Web shell. The stealthy in-memory approach presents challenges for defenders and raises the importance of attack surface management.
Key Takeaways from Meeting Notes:
1. Vulnerability Exploitation: There are multiple exploits circulating in the wild for a critical vulnerability (CVE-2023-22527) in Atlassian Confluence Data Center and Confluence Server, allowing attackers to execute arbitrary code within Confluence’s memory without touching the file system.
2. Malicious Activity: There has been a significant increase in malicious activity exploiting the CVE, with 30 unique in-the-wild exploits currently being tracked, including the use of the “infamous” Godzilla Web shell.
3. In-Memory Payload: Researchers at VulnCheck have discovered a new approach utilizing an in-memory payload, which is a more stealthy and less easily detectable method of exploiting the Confluence vulnerability compared to traditional file-based exploits.
4. Attraction for Attackers: Attackers are particularly drawn to targeting Confluence due to the wealth of business information available, making it an attractive entry point into internal networks, especially for ransomware attacks.
5. Risks and Mitigation: Organizations that have not patched Confluence are at extremely high risk, and it is important for defenders to be aware of the ongoing in-memory web shell attacks. The risk is not limited to Confluence alone, as similar vulnerabilities in other products also pose a threat. It is recommended to evolve detection methods to include network-based detection or scanning Java memory for malicious web shells.
6. Long-Term Strategy: The long-term solution to mitigating such advanced issues involves reducing the attack surface by getting sensitive systems off the internet and implementing attack surface management.
These clear takeaways provide a comprehensive understanding of the current threat landscape and the necessary actions to mitigate the risks associated with the Confluence vulnerability.