slider

Netizen: Threat Detection and Advisory on Confluence Vulnerability CVE-2023-22518

The discovery of CVE-2023-22518 presents a significant concern for organizations using Confluence Data Center and Server. Atlassian has granted the vulnerability a 10/10 CVSS score based on an internal assessment, however the NVD has yet to provide a score. This is the second major vulnerability discovered in Atlassian Confluence over the past few weeks; CVE-2023-22515, which the NVD rated a 9.8/10 on the CVSS v3.1 scale, is a broken access control bug that’s been generating major concern throughout the cybersecurity community over the past few weeks. Exploitation of Improper Authorization Vulnerability CVE-2023-22518 “allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account,” according to the NVD’s summary. Using said account, attackers can perform all tasks typically available to an administrator, leading to a full compromisation of the CIA triad. Atlassian, the company behind Confluence, has acknowledged the vulnerability and released patches to address the issue.

Threat Detection

Signs of a potential compromise include:

  • Loss of login access.
  • Suspicious requests to /json/setup-restore* endpoints in access logs.
  • Installation of unknown plugins, particularly any named web.shell.Plugin.
  • Encrypted files or corrupted data.
  • Unusual entries in the confluence-administrators group or newly created user accounts

Rapid7 Managed Detection and Response also created a list of indicators of compromise associated with the exploitation of CVE-2023-22518:

IP addresses:

  • 193.176.179[.]41
  • 193.43.72[.]11
  • 45.145.6[.]112

Domains:
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

File hashes:

  • Bat file: /tmp/agttydcb.bat – MD5: 81b760d4057c7c704f18c3f6b3e6b2c4
  • ELF ransomware binary: /tmp/qnetd – SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note: read-me3.txt

If you detect any of these indicators, assume that your instance has been compromised and enact your security incident response plan.

Advisory and Immediate Action Steps

On discovering the vulnerability, Atlassian’s Chief Information Security Officer issued a statement urging immediate action. Given the potential for significant data loss, it’s critical that organizations utilizing affected Confluence versions respond as soon as possible.

In order to secure your systems:

  • Patch Immediately: Update to one of the fixed versions provided by Atlassian, which includes 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
  • Temporary Mitigations: If patching is not feasible immediately, you should:
    • Backup your instance.
    • Remove your instance from public internet access, if possible.
    • Apply interim mitigation measures by blocking specific endpoints (/json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action) at the network layer or by updating the web.xml configuration file in your Confluence installation.

For more information on CVE 2023-22518, refer to the NVD entry and Atlassian’s report on the vulnerability.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time – 

https://www.netizen.net/contact

Copyright © Netizen Corporation. All Rights Reserved.