Guides
Work in progress post
Ok so i posted a snipped of PowerShell on LinkedIn for hunting the confluence logs using a pattern match for ${ (after we have URL decoded (twice). This is just an example of how to parse log files using PS1 so it’s clearly very basic but i wanted to give people an idea of what we do when we “GREP” the logs:
Read more “Searching Confluence Logs with PowerShell”
Threat Intel
We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.
THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged
XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.
This is a fast publish
POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
https://github.com/jbaines-r7/through_the_wire
keep checking vendor guidance and keep checking this for updates… use at own risk etc.
Workaround/Hotfixes have been published by Atlassian:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://jira.atlassian.com/browse/CONFSERVER-79000
GreyNoise Tag is online: GreyNoise Trends
Also check this out for scanners: GreyNoise
Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!
IT MAY BE WISE TO ASSUME BREACH
The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar
Velocity discovers a zero-day in confluence 03/06/2022 (GMT)