# Recent Attack Uses Vulnerability on Confluence Server

**[fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server](https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server)**

October 21, 2021

**[FortiGuard Labs Threat Research Report](https://www.fortinet.com/fortiguard/labs.html?utm_source=blog&utm_medium=campaign&utm_campaign=FortiGuardLabs)**

**Affected platforms: Atlassian’s Confluence**

**Impacted parties: Confluence Server or Data Center instance**

**Impact: An OGNL injection vulnerability exists that would allow an unauthenticated user to**
execute arbitrary code

**Severity level: Critical**

## Introduction of CVE-2021-26084

[In August 2021, Atlassian published a security advisory about](https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html) [CVE-2021-26084 that could](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084)
enable a threat actor to run arbitrary code on unpatched Confluence Server and Data Center
[instances. FortiGuard Labs analyzed the situation and published a Threat Signal with](https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_campaign=fortiguardlabs)
relevant information. After releasing the advisory, there occur massive scanning and proof-of

-----

concept exploit code in public. We also collect a lot attacking traffic. In this blog we will
analyze the payloads leveraging this vulnerability, deep dive into the attack and summarize
the IOCs for these suspicious activities that may hint the network was affected by CVE-202126084.

## Overview of CVE-2021-26084 Incidents

In September, we observed numerous threat actors targeting this vulnerability whose goal
was to download a malicious payload that would install a backdoor or miner in a user’s
network. These threats include Cryptojacking, Setag backdoor, Fileless attack that uses
[PowerShell in a system to execute shell without file dropped and Muhstik botnet; we will](https://www.fortinet.com/blog/threat-research/offense-and-defense-a-tale-of-two-sides-powershell?utm_source=blog&utm_campaign=offense-and-defense-a-tale-of-two-sides-powershell)
elaborate each of them in this analysis.

Although there are different attack vectors for this vulnerability, all of these attacks are
targeting the parameter “queryString” which is shown in following packet capture:

Fileless attack leverage CVE-2021-26084

## Cryptojacking

After exploiting CVE-2021-26084, it downloads init.sh from 86.105.195[.]120. The shell is a
crypto miner that includes following tasks:

1. Delete syslog
2. Change commonly used command
3. Stop aliyun services and apparmor
4. Set the path for miner execution file (zzh) and itself but rename as newinit.sh
5. Kill all other miner processes
6. Use crontab to establish persistence
7. Get scanning shell (is.sh)
8. Clean the trace

Payload Exploits CVE-2021-26084

Inti.sh

In the scanning shell, it will try to download a scanning tool, like Masscan, Pnscan, etc, which
can be used to scan and survey IPv4 TCP network in order to discover live host to proceed
the spreading. The downloader path is shown as below. It also downloads a shell that
defines specific steps for the scan. First, get the login brute force tool hxx (md5:
f0551696774f66ad3485445d9e3f7214) and account/password list ps (md5:
a43ad8a740081f0b5a89e219fe8475a3), then scan the subnet belong to private network
(172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8). This is to allow the malware to login into
more devices in victim’s intranet and spread miner script (init.sh).


-----

Downloader path in is.sh

Scannng steps in rs.sh

The entire workflow can be seen below.

Confluence server

## Setag

The following exploit traffic was observed from IP address 86.105.195.154 (AS 3164 Astimp
IT Solution SRL). Setag, also known as BillGates or Ganiw, belongs to a well-known
malware family that targets server via 1 day vulnerability. It mainly uses
[UDP/SYN/ICMP/DNS floods to conduct DDoS attack. But it also has various command can](https://www.fortinet.com/products/ddos/fortiddos.html?utm_source=blog&utm_campaign=ddos)
check its own status or control their victims. The command for dos attack or controlling their
victims can be seen in following rawdata:

Syna

## Fileless Attack

The observed packet is from 141.98.83.139 (AS 209588 Flyservers S.A.) and the main
payload is b64 encoded. The decoded data is as follow:

First layer decoded data

We can see that the payload is constructed and executed via PowerShell. The final
execution will set “WindowStyle” to hidden and “CreateNoWindow” to True, which is to put
itself out of sight. We decoded those data in the middle and replace {0} and {1} with “=” and
“P”, then 2nd layer payload data

Second layer payload data

It defined two functions, and one variable that contain the main exploit code. After converting
the code in $sG, it will use VirtualAlloc to reserve a part of memory. Then it uses
CreateThread to invoke the malicious code. So what exactly $sG is? After b64 decoding, we
get about 570 bytes binary data as below:

570 bytes binary data

To dive deep in to this, we have to check this binary by IDA. Following the first call into
loc_D6, it puts ws2_32 and move edx, 726774ch, and this is the hash value of LoadLibrary
function, the detail code is as below:

The hash value of LoadLibrary function


-----

It is a reverse shell meterpreter shellcode that connects to exploit source 141.98.83[.]139 via
tcp port 23733. Since the port now is closed, we only managed to capture the following
packets. But the entire attack process only leveraged PowerShell to decode layer by layer,
and uses hidden window style to hide itself. And finally, create a thread to achieve the
reverse shell. Not a single file is dropped in the entire attack, which is known as fileless
attack.

## Muhstik

By exploiting CVE-2021-26084, it downloads conf2 from 149.28.85[.]17. The file will deploy
and execute dk86 from 188.166.137[.]241 and ldm script. The attack scenario afterward is
[analyzed in this article, but we observed a different server IP and more attack source IP](https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/)
which is intended to spread conf2 of Muhstik.

Different conf2 downloader

## Conclusion

We have been tracking this vulnerability for weeks and observing massive threat exploitation
targeting Atlassian Confluence. Although the patch for CVE-2021-26084 is already released,
public attacks are still undergoing. In this post, we gave detail of those attacks and illustrate
how they using the payload to deliver malware, users should upgrade the system
immediately and also apply Fortiguard protection to avoid the threat probing.

## Fortinet Protections

[For vulnerability CVE-2021-26084, Fortinet already release IPS signature](https://www.fortinet.com/products/data-center-ips.html?utm_source=blog&utm_campaign=ips-page)
Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution for it to proactive protect
our customer. For payloads described are detected and blocked by the FortiGuard AntiVirus.

The downloading URLs and attacker's IP addresses have been rated as "Malicious
Websites" by the [FortiGuard Web Filtering service.](https://www.fortinet.com/support-and-training/support-services/fortiguard-security-subscriptions/web-filtering.html?utm_source=blog&utm_campaign=web-filtering)

## IOC

Value Item

86.105.195.154 Cryptojacking expolit source IP address

86.105.195.120 Cryptojacking dropper hosting IP address


-----

911e417b9bc8689a3eed828f0b39f579 hxxp://86.105.195.120/cleanfda/init.sh

hxxp://86.105.195.120/cleanfda/newinit.sh

75259ee2db52d038efea5f939f68f122 hxxp://86.105.195.120/cleanfda/zzh

4a7bf7f013cc2297d62627b2b78c5b0b hxxp://86.105.195.120/cleanfda/is.sh

8cc2b831e29dc9f4832a162e9f425649 hxxp://86.105.195.120/cleanfda/rs.sh

2.57.33.59 Setag expolit source IP address

209.141.50.210 Setag dropper hosting IP address

a8eb59396d698bda5840c8b73c34a03b hxxp://209.141.50.210/syna

141.98.83.139 Fileless attack expolit source IP address

1b8a7954b9630be2e0dd186a4fc6a32a 2nd layer payload data

bf8a7b199f3293852c7f2b3578e8c0ae Binary shellcode


98.239.93.20

87.106.194.46

51.75.195.137

34.247.148.227

121.196.25.170

221.168.37.77

122.9.48.250

18.182.153.49


Muhstik exploit source IP address


149.28.85.17 Conf2 dropper hosting IP address

6078c8a0c32f4e634f2952e3ebac2430 hxxp://149.28.85.17/conf2


-----

_Learn more about Fortinet s_ _[FortiGuard Labs threat research and intelligence organization](https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_campaign=fortiguard-labs)_
_[and the FortiGuard Security Subscriptions and Services portfolio.](https://www.fortinet.com/fortiguard/labs?tab=security-bundles&utm_source=blog&utm_campaign=security-bundles)_

_Learn more about Fortinet’s_ _[free cybersecurity training, an initiative of Fortinet’s Training](https://www.fortinet.com/training/cybersecurity-professionals?utm_source=blog&utm_medium=campaign&utm_campaign=Freetraininginitiative)_
_Advancement Agenda (TAA), or about the_ _Fortinet Network Security Expert_
_[program, Security Academy program, and](https://training.fortinet.com/local/staticpage/view.php?page=fnsa&utm_source=pr&utm_campaign=fnsa)_ _[Veterans program. Learn more about FortiGuard](https://www.fortinet.com/corporate/careers/vets.html?utm_source=blog&utm_campaign=fortivet)_
_Labs global threat intelligence and research and the FortiGuard Security Subscriptions and_
_Services portfolio._


-----