A malicious actor, tracked as TAC-040, exploited the Atlassian Confluence CVE-2022-26134 flaw to deploy the previously undetected Ljl Backdoor.
According to the cybersecurity company Deepwatch, a hostile actor identified as TAC-040 most likely used the Atlassian Confluence servers' CVE-2022-26134 vulnerability to install the Ljl Backdoor, a previously undetectable backdoor. Attackers used the weakness to launch an attack against an undisclosed research and technical services company.
Network log analysis indicates that TAC-040 exfiltrated about 700MB of data from the victim system during the seven-day attack in May.
"ATI's thorough investigation revealed that the attack took place during a seven-day span in late May. TAC-040 probably took advantage of a flaw on an Atlassian Confluence server. Evidence suggests that the threat actor used tomcat9.exe as a parent process to execute malicious commands in the Atlassian Confluence directory. reads the analysis that Deepwatch published.
best dedicated server hosting wordpress
Experts have also speculated that attackers could have exploited the Spring4Shell vulnerability (CVE-2022-22965) to gain initial access to the Confluence web application.
After the initial compromise, the attackers ran multiple commands to enumerate the local system, network, and Active Directory environment.
Researchers discovered the presence of an XMRig crypto-miner on the compromised system.
“The threat actor likely used a memory-based webshell or chose to run commands directly through the
exploit, because no command dropper or forensic record of a webshell on disk was recovered. Several open source reports detail similar defense/detection avoidance techniques regarding the CVE2022-26134 exploit, but technical details on these techniques are sparse. continues the report.
The Deepwatch Threat Intel team has confirmed that the ljl backdoor is a never-before-seen persistent backdoor that implements the following functionality:
- Reverse proxy.
- Asks if the victim is active or inactive.
- Exfiltrate files/directories.
- Load arbitrary and remotely downloaded .NET assemblies as “plugins”.
- Get user accounts.
- Get the foreground window and window text.
- Obtain victim system information such as CPU name, GPU name, hardware ID, bios manufacturer,
- Motherboard name, total physical memory, LAN IP address and mac address.
- Get geographical information about the victim, such as ASN, ISP, country name, country code,
region name, area code, city, zip code, continent name , continent code, latitude, longitude, metro code, time zone and date and time.
Once TAC-040 achieved persistence on the target systems, it used various publicly available open-source tools cloned from GitHub, including:
- Open source tools cloned from GitHub:
- NetRipper
- PowerSploit
- Summon-Vnc
- CME-PowerShell-Scripts
- CrackMapExec: attack framework with several tools
- Summon-Obfuscation
- SessionGopher
- cutepenguin
- mimikittenz
- RID_Hijacking
- RandomPS-Scripts
Although the finding of the XMRig crypto-miner on the system shows that it might be financially motivated, analysts can only make educated guesses as to who is behind TAC-040 at this time.
The threat actors for the group maintained Monero address has generated at least 652 XMR (more than $100,000).
"There are a few questions that have yet to be resolved in this field of action. First, because to visibility gaps, we are unsure of TAC040's aims and objectives. TAC-040's intended use was probably espionage-related, though. fully rule out the possibility that they had financial objectives. For the Threat Intel team to feel confident in this theory, more proof is required.
the report comes to an end.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
(Security cases – hack, Ljl backdoor)