Researchers at Trend Micro Trend Micro have identified a critical vulnerability, rated CVSS 10.0, in Atlassian’s products Confluence Data Center and Confluence Server. This vulnerability allows attackers to execute arbitrary code on vulnerable servers, potentially leading to a compromise of the entire system. Although a patch has been released to address this vulnerability, attackers are also leveraging it to install miners.
Upon further investigation, it was discovered that attackers exploit the vulnerability to load a malicious program onto the Atlassian server, which then deploys the web-shell Godzilla. This web-shell, developed by a user known as “Beichendream,” bypasses traditional security measures and utilizes AES encryption, making detection more challenging.
The attack chain begins with the exploitation of CVE-2023-22527 vulnerabilities to execute malicious code. Once the initial payload is executed, a multi-stage attack ensues, involving injection of code into the server’s RAM. This injected code enables hackers to introduce their own classes and methods, establishing persistent access to the infected server.
The use of Fileless Malware techniques in the attack, where malicious code operates solely in the system’s memory, complicates detection and removal efforts. Organizations relying on outdated protection methods, such as signature-based antivirus solutions, may struggle to detect such attacks.
Trend Micro experts recommend that Atlassian Confluence users promptly apply the available patches to thwart potential attacks. Regular software updates and the use of modern security tools are essential in detecting and preventing such threats.
This is not the first instance of the Godzilla web-shell being leveraged in attacks, as it was previously observed in exploits targeting vulnerabilities in Apache ActiveMQ. The web-shell enables attackers to take full control of the targeted host, facilitating the execution of arbitrary commands, network reconnaissance, and file management tasks.