Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory

We Keep you Connected

Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory

The proof-of-concept exploits for Atlassian Confluence would enable arbitrary code execution without requiring file system access.
March 8, 2024
Fresh proof-of-concept (PoC) exploits are circulating in the wild for a widely targeted Atlassian Confluence Data Center and Confluence Server flaw. The new attack vectors could enable a malicious actor to stealthily execute arbitrary code within Confluence's memory without touching the file system.
Researchers at VulnCheck have been tracking the exploits for the CVE-2023-22527 remote code execution (RCE) vulnerability, which was disclosed in January. The CVE has since become "hotbed of malicious activity" they noted, with VulnCheck currently tracking 30 unique in-the-wild exploits for the vulnerability, including the more recent options.
Most of the attacks against Confluence load the "infamous" Godzilla Web shell. Godzilla allows attackers to remotely control the compromised server, execute arbitrary commands, upload and download files, manipulate databases, and perform other malicious activities.
A new approach, though, is using an in-memory payload. After spotting the in-the-wild PoCs using that technique, VulnCheck researchers developed three PoCs of their own to probe the in-memory approach's limits.
The flurry of activity should surprise no one: VulnCheck CTO Jacob Baines says he thinks attackers love to target Confluence because of the wealth of business information available within in application, which makes it a "good pivot" into an internal network.
"By exploiting this target, you're getting an on-prem version with business specific logic in it," he says. "It's pretty attractive for ransomware attackers specifically."
As VulnCheck's blog post details, "There's more than one way to reach Rome. More stealthy paths generate different indicators. Of particular interest is the in-memory Web shell, which had a pre-existing variant … that appears to have been deployed in the wild."
Baines explains that one of the firm's PoCs details the basic first step of loading arbitrary Java into memory, a popular exploit approach but one that is easily discovered with endpoint detection.
"This is a very obvious, easy-to-catch method to exploit Confluence," he says. "But loading arbitrary Java into memory is useful to know how to do, because the next step, the Web shell portion, builds on that."
VulnCheck's other two proofs of concept for CVE-2023-22527 in Confluence detail how malicious actors could exploit the Confluence vulnerability by loading an in-memory Web shell directly to gain unauthorized access to Web servers.
Loading into and executing code from Confluence’s memory is a much more stealthy and weaponized approach to attacking Confluence that is less likely to be detected by defenders, Baines says.
"A lot of systems only detect adversaries on the system by analyzing files that are dropped to disk," he says, adding that there's no great way to scan Java in memory for Web shells because of the way it's structured — the real solution lies in detecting it on the network.
"That has its own challenges, as everything's encrypted and you have to deploy certificates to the clients," he says. "The long-term answer is getting everything off of the Internet that you can."
Baines points out Confluence has now had multiple different CVEs on VulCheck's Known Exploited Vulnerabilities (KEV) list.
"It's definitely time to start putting that behind a VPN," he says. "Ultimately, attack surface management is the way to help mitigate these more advanced issues."
Baines says the risk of compromise is extremely high for organizations who have still not patched Confluence, given the mass-exploitation efforts underway.
"We see attackers have used this in-memory Web shell — it's not a theoretical attack," he says. "It's something that's happening, so defenders need to be aware of it, and that it is a high risk at the moment."
Baines adds that the risk from the in-memory approach is not just limited to Confluence, as it is related to Object-Graph Navigation Language (OGNL) expressions, which allow developers to perform various operations on Java objects using a simple, concise syntax.
"This affects a variety of different products with similar vulnerabilities — you could use this exact same technique against those other products," he says. "Organizations must evolve a step to start catching this sort of thing for example network-based detection or scanning Java memory for malicious Web shells."
Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Proven Success Factors for Endpoint Security
SANS 2021 Cloud Security Survey
Gcore Radar
Secure Access for Operational Technology at Scale
Threat Intelligence: Data, People and Processes
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.