Fortinet Inc.

10/21/2021 | Press release | Distributed by Public on 10/21/2021 17:57

Recent Attack Uses Vulnerability on Confluence Server

FortiGuard Labs Threat Research Report

Affected platforms: Atlassian's Confluence
Impacted parties: Confluence Server or Data Center instance
Impact: An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code
Severity level:Critical

Introduction of CVE-2021-26084

In August 2021, Atlassian published a security advisory about CVE-2021-26084 that could enable a threat actor to run arbitrary code on unpatched Confluence Server and Data Center instances. FortiGuard Labsanalyzed the situation and published a Threat Signalwith relevant information. After releasing the advisory, there occur massive scanning and proof-of-concept exploit code in public. We also collect a lot attacking traffic. In this blog we will analyze the payloads leveraging this vulnerability, deep dive into the attack and summarize the IOCs for these suspicious activities that may hint the network was affected by CVE-2021-26084.

Overview of CVE-2021-26084 Incidents

In September, we observed numerous threat actors targeting this vulnerability whose goal was to download a malicious payload that would install a backdoor or miner in a user's network. These threats include Cryptojacking, Setag backdoor, Fileless attack that uses PowerShell in a system to execute shell without file dropped and Muhstik botnet; we will elaborate each of them in this analysis.

Although there are different attack vectors for this vulnerability, all of these attacks are targeting the parameter "queryString" which is shown in following packet capture: