Novel backdoor persists even after critical Confluence vulnerability is patched

A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence.

The backdoor provides attackers remote access to a victim, both its Confluence server and other network resources, and is found to persist even after Confluence patches are applied.

Patches were made available from October 31, with Atlassian telling customers at the time they "must take immediate action". Given the vulnerability was suggested to be under mass exploitation as of November 8, the need to apply patches is stronger than ever.

Experts at Aon's incident response provider Stroz Friedberg said the backdoor is a novel piece of malware called Effluence.

"The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied," according to the advisory.

The web shell is implanted in an atypical way, with malware of this kind usually being uploaded via Confluence's plugin system. In these cases, web shells can only be accessed if the attacker is able to log into Confluence or via an attacker-controlled webpage.

In the case observed by the incident responders, Effluence was installed in a way that allowed an unauthenticated attacker to access it. Here, the attacker hijacked the underlying Apache Tomcat webserver and inserted Effluence between it and Confluence, making it available on every web page.

Effluence is capable of executing a rich array of commands, many that align with those of the Godzilla web shell, which according to Unit 42 by Palo Alto Networks, is one that's designed to stealthily maintain access on high-interest networks.

A small selection of Effluence's capabilities:

• Create a new admin account
• Run any command on the host server
• Delete and edit files
• Deploy additional plugins that could offer more features or vulnerabilities to exploit
• Change user passwords
• Log credentials at each login attempt

Detecting and remediating Effluence installations isn't entirely straightforward and will require some manual review on the defender's part. 

Stroz Friedberg recommends manually reviewing installed plugins for malicious activity. Files with .jar extensions in the following directories, as well as other Confluence-related paths, will indicate if a plugin was installed but this won't indicate whether it's malicious or not:

• <confluence_install_dir>/temp/</confluence_install_dir>
• <confluence_app_dir>/application_data/plugins-osgi-cache/transformed-plugins/</confluence_app_dir>
• <jira_app_dir>/application_data/plugins/installed-plugins/</jira_app_dir>
• <bitbucket_app_dir>/application_data/shared/plugins/installed-plugins/</bitbucket_app_dir>

Adding to the difficulty, Effluence doesn't leave behind any indicators of compromise (IOCs). Defenders may find evidence of use when reviewing static confluence pages, monitoring the response size in relation to the organization's baseline range.

• Atlassian cranks up the threat meter to max for Confluence authorization flaw
• You can buy personal info of US military staff from data brokers for just 12 cents a pop
• T-Mobile US exposes some customer data – but don't call it a breach
• Stop what you're doing and patch this critical Confluence flaw, warns Atlassian

The advisory also includes a Yara rule that can detect Effluence use in the preserved memory image.

"Stroz Friedberg has not thoroughly tested to what extent this novel malware is applicable to other Atlassian products," it said. "Several of the web shell functions depend on Confluence-specific APIs. However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, BitBucket, or other Atlassian products where an attacker can install the plugin." ®