Last updated at Tue, 27 Feb 2024 17:16:10 GMT
*Rapid7 事件响应 consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 事件响应 was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for cve - 2023 - 22527 在可用的汇合日志中. 在调查过程中, Rapid7 identified cryptomining software and a Sliver 指挥与控制 (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.
Rapid7客户
Rapid7始终监控 紧急的威胁 to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 insighttidr有一个警报规则 Suspicious Web Request - Possible Atlassian Confluence cve - 2023 - 22527 Exploitation
available for all IDR customers to detect the usage of the text-inline.vm
consistent with the exploitation of cve - 2023 - 22527. A 漏洞检查 is also available to InsightVM and Nexpose customers. A 伶盗龙 artifact to hunt for evidence of Confluence cve - 2023 - 22527 exploitation is available on the 伶盗龙 Artifact Exchange here. 阅读Rapid7的博客 cve - 2023 - 22527.
观察到的攻击者行为
Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST
requests consistent with known vulnerabilities, including cve - 2023 - 22527
. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm
component of Confluence by sending a modified POST request to the server.
Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, 但是已经确定的 POST
requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:
Access.log Entry |
---|
POST /模板/ aui / text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit / 537.36 (KHTML,像壁虎)Chrome/89.0.4389.114 Safari / 537.36 |
POST /模板/ aui / text-inline.vm HTTP/1.7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,像Gecko)版本/12.0.3 Safari/605.1.15 |
POST /模板/ aui / text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0)壁虎/20100101火狐/121.0 |
证据显示执行死刑 curl
command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl
command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
作为执行的结果 curl
命令、文件 w.sh
是写给 /tmp/
系统上的目录. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. 然后bash脚本执行 wget
命令下载 javs.tar.gz
从IP地址 38.6.173[.]11
over port 80
. 该文件被识别为 XMRigCC
cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service
was created on the system and set to run as root to ensure persistence.
The following is a snippet of code contained within w.sh
defining communication parameters for the downloading and execution of the XMRigCC binary.
![](http://blog.wsimobile180.com/content/images/2024/02/Screenshot-2024-02-15-at-11.36.41-AM.png)
Rapid7 found additional log evidence within Catalina.log
that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.
Catalina日志条目 |
---|
WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11 / xmrigCC-3.4.0-linux-generic-static-amd64.tar.广州xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... ] has been removed from the response because it is invalid |
Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179
通过端口通信 8888
从两个服务器. netstat
command output showed that the network connection’s source program was called X-org
并且位于系统的 /tmp
directory. 根据防火墙日志, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org
文件创建. Rapid7 identified another malicious file residing on the secondary server named X0
Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.
A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available 妥协指标 (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179
会通过港口进行通信 8888
using the mTLS
认证协议.
![](http://blog.wsimobile180.com/content/images/2024/02/Screenshot-2024-02-15-at-11.38.04-AM.png)
After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd
and 等/ machine-id
and then communicated back with the C2 again. 的内容 passwd
and machine-id
provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.
The 银C2连接 was later used to execute wget
用于下载的命令 Kerbrute
, Traitor
, and Fscan
到服务器. Kerbute
是从 dev/shm
and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor
二进制文件从 var/tmp
directory which contains the functionality to leverage Pwnkit
and Dirty Pipe
从系统的证据中可以看出. Fscan
是从 var/tmp
带有文件名的目录 f
and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.
缓解指导
To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:
-
Ensure that unnecessary ports and services are disabled on publicly-facing servers.
-
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
-
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
-
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
-
Publicly-facing servers hosting web applications should implement a restricted shell, 在可能的情况下, to limit the capabilities and scope of commands available when compared to a standard bash shell.
MITRE ATT&CK技术
Tactics | Techniques | Details |
---|---|---|
指挥与控制 | 应用层协议(T1071) | 银C2连接 |
Discovery | 发现域帐号(T1087) | Kerbrute enumeration of Active Directory |
侦察 | 主动扫描(T1595) | Fscan枚举 |
特权升级 | 设置id和设置gid (T1548.001) | 叛徒特权升级 |
Execution | Unix Shell (T1059).004) | The Sliver payload and follow-on command executions |
凭据访问 | 蛮力(T1110) | Kerbrute Active Directory brute force component |
凭据访问 | 操作系统凭证转储(T1003).008) | Extracting the contents of /etc/passwd file |
Impact | 资源劫持(T1496) | 执行密码挖掘软件 |
首次访问 | Exploit Public-Facing Application (T1190) | Evidence of text-inline abuse within Confluence logs |
妥协指标
Attribute | Value | Description |
---|---|---|
文件名和路径 | /dev/shm/traitor-amd64 | 特权升级二进制文件 |
SHA256 | fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 | 叛徒二进制的哈希 |
文件名和路径 | /var/tmp/kerbrute_linux_amd64 | Kerbrute enumeration of Active Directory |
SHA256 | 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | Kerbrute二进制的哈希值 |
文件名和路径 | /var/tmp/f | Fscan枚举 |
SHA256 | b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 | Fscan二进制的哈希值 |
文件名和路径 | /tmp/X0 | 条子二进制 |
SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
文件名和路径 | /tmp/X-org | 条子二进制 |
SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
IP Address | 193.29.13.179 | silver C2 IP地址 |
文件名和路径 | /tmp/w.sh | XMrigCC cryptominer的Bash脚本 |
SHA256 | 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 | bash脚本的散列 |
文件名和路径 | /tmp/javs.tar.gz | 压缩的加密安装文件 |
SHA256 | ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b | 加密安装文件的哈希值 |
基于国际奥委会 | “后/模板/ aui / text-inline.vm HTTP/1.0 200" followed by GET request containing curl | Exploit behavior within Confluence access.log |
IP Address | 195.80.148.18 | IP address associated with exploit behavior of text-inline followed by curl |
IP Address | 103.159.133.23 | IP address associated with exploit behavior of text-inline followed by curl |