Detecting “Effluence”, An Unauthenticated Confluence Web Shell

Detecting “Effluence”, An Unauthenticated Confluence Web Shell
Cyber Labs

13 of 20

This insight is part 13 of 20 in this Collection.

November 9, 2023 9 mins

Detecting “Effluence”, An Unauthenticated Confluence Web Shell

Article by: Cyber Labs
Designing an Integrated Business and People Strategy for the Future of Insurance Hero Banner

Discovering Effluence, a unique web shell accessible on every page of an infected Confluence

Summary

Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") observed the use of novel malware, dubbed "Effluence," in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence. The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied.

Background

Stroz Friedberg was engaged to help a client perform diligence after they discovered that they had a known vulnerable (CVE-2023-22515) Atlassian Confluence Data Center server near the edge of their network. This vulnerability allows an attacker to gain unauthorized access to the administrative areas of a Confluence server.

In this specific client engagement, the cybercriminal gained initial access via the previously mentioned vulnerability and embedded a novel web shell into the Confluence server which allowed them persistent access to every web page on the server without the need for a valid user account. Typical web shells encountered with Confluence exploits are uploaded via the Confluence Plugin ability, e.g., https://github.com/dubfr33/atlassian-webshell-plugin. Such web shells are only accessible if a user has signed into Confluence or if a single webpage of the webserver has been hooked. The attacker must access the exact page of the web shell, for example, http://example.com/webshell.jsp.

The web shell encountered during Stroz Friedberg’s investigation, however, hijacks the underlying Apache Tomcat webserver and silently inserts itself between Confluence and Tomcat–making itself available on every webpage, including the unauthenticated login page. The web shell does not make any changes to the webpages and allows requests to pass through it unnoticed until a request matches specific parameters.

Stroz Friedberg identified this web shell on public malware repositories with no detections, indicating others may be at risk of this malware. Given ongoing attacks against Confluence, this post aims to raise awareness and provide initial detection methods. Public analysis of the inner workings of the malware will be published at a later date.

Technical Overview

The web shell is split into two parts, a loader and payload. The loader acts as a normal Confluence plugin but utilizes a modified legitimate Java collections class, similar to IdentityHashMap, to hide its malicious payload. The loader is triggered via an overloaded equals() method, which decrypts the payload into a byte array containing a Java class, then loads that class via reflection—hence the raw Java class is never written to the filesystem. Once the payload is loaded, it runs a function which hides the plugin among Confluence “System Apps”, whereas a user loaded plugin would normally be among “User-Installed Apps”.

The web shell traverses internal structures of the ServletContextFactory interface in order to locate and then add itself to Tomcat’s internal applicationEventListenersList. It implements a ServletRequestListener such that any request to the Confluence server passes through the web shell first, including all pages accessible to unauthenticated users. Because the web shell is available from the login page, attackers can trigger it without needing to maintain Confluence user access. The web shell itself takes no action unless a particular query parameter is supplied. When triggered, the web shell can execute any of the following functions (which closely align with a Godzilla webshell plugin):

  • Create a new administrator account to gain full control over the system.
  • Purge application logs to erase traces of unauthorized access.
  • Run any command on the host server.
  • Browse through the file system to inspect the structure and contents of directories.
  • Delete any file on the server.
  • Modify the timestamps of files to hide when they were last edited.
  • Read the contents of any file.
  • Edit any file, enabling the alteration of data or system settings.
  • Enumerate all Confluence collaboration spaces, capturing details such as space name, date of creation, title, creator, recent modifiers, modification dates, and their respective URLs.
  • Conceal unauthorized plugin uploads by misrepresenting them as official System Plugins rather than User Plugins.
  • Extract detailed LDAP1 configurations, including various identifiers, statuses, encryption settings, descriptions, types, classes, creation and update dates, permissible operations, and custom LDAP attributes specified within Confluence.
  • Acquire comprehensive information on configured mail servers, including names, protocols, host details, ports, login credentials, descriptions, and proxy configurations.
  • Collect environmental variables from the server, which may reveal system configuration and sensitive information.
  • Compile extensive user information such as usernames, full names, email addresses, the encryption status of credentials, actual user credentials, contact numbers, instant messaging handles, job titles, departments, locations, login frequency, account statuses, group memberships, and associated directory IDs.
  • Deploy additional plugins that could offer more features or vulnerabilities to exploit.
  • Remove users from Confluence.
  • Search and retrieve specific content from within Confluence pages, potentially accessing confidential or proprietary information.
  • Uninstall plugins.
  • Change user passwords, allowing for unauthorized access to user accounts.
  • Log usernames and passwords utilized during login attempts, which could be used for further unauthorized access to systems and data.

Preliminary Detection

To assist in identifying this web shell in an environment, the below includes multiple detections for this web shell. Please take note: at this time, patching Confluence to address CVE-2023-22515 and CVE-2023-22518 will not remediate the web shell if it has been deployed.

Endpoint Detection Response/File Integrity Monitoring

This detection looks for plugins created in the Atlassian plugin directories. This will only identify whether a plugin was installed and not whether the plugin is malicious. To identify if a plugin was installed, look for files with a “.jar” extension in any of the following directories:

  • <confluence_install_dir>/temp/
  • <confluence_app_dir>/application_data/plugins-osgi-cache/transformed-plugins/
  • <jira_app_dir>/application_data/plugins/installed-plugins/
  • <bitbucket_app_dir>/application_data/shared/plugins/installed-plugins/

Due to the customizable nature of Confluence installations, it is prudent to check other Confluence related directories including plugin-cache and bundled-plugins.

Web Log Analysis

Detecting usage of this web shell depends on review of the web server access logs. Due to the method the web shell uses, there are no obvious Indicators of Compromise (IOCs) in the web logs to detect usage of the web shell. However, one may be able to find potential usage by reviewing access to static confluence pages, such as “/login.action”, where the response size varies. For example, the following screenshot shows successful access to “/login.action” with response sizes that vary between 826 to 2574 bytes:

Figure 1 – Examples of malicious requests from logs located at /opt/atlassian/confluence/logs/conf_access_log.log

While we are still gathering information about this particular malware, as an early point of note – Stroz Friedberg recommends baselining your environment to find the normal range of response sizes for the environment to find the abnormal response sizes.

Yara rule over Memory

Detection of the web shell via this method relies on a memory capture from the server. Stroz Friedberg developed the following Yara rule which can detect the web shell in the preserved memory image:


rule ConfluencePageIndicator {
  meta:
    description = "Detects strings indicative of a web shell in Confluence page"
    author = "Stroz Friedberg"
    date = "2023-11-06"

  strings:
    $confluence_title = " - Confluence" ascii wide
    $hide_plugin_function = "hidePlugin(" ascii wide
    $system_plugin_key = "ALWAYS_SYSTEM_PLUGIN_KEYS" ascii wide
    $dashes = " ----- " ascii wide

  condition:
    $confluence_title and $hide_plugin_function and $dashes and $system_plugin_key
}

Beyond Confluence

Stroz Friedberg has not thoroughly tested to what extent this novel malware is applicable to other Atlassian products. Several of the web shell functions depend on Confluence-specific APIs. However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, BitBucket, or other Atlassian products where an attacker can install the plugin.

If you suspect you are compromised or need assistance in assessing compromise, please call our Incident Response hotline. If you are from a Law Enforcement Agency or Endpoint Detection and Response vendor and wish for more details, please contact Aon Cyber Solutions.


1 Lightweight Directory Access Protocol

 

While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 11/8/23.

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.