Detecting “Effluence”, An Unauthenticated Confluence Web Shell
Discovering Effluence, a unique web shell accessible on every page of an infected Confluence.
Summary
Stroz Friedberg Incident Response Services observed the use of novel malware, dubbed "Effluence," in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence. The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied.
Background
Stroz Friedberg was engaged to help a client perform diligence after they discovered that they had a known vulnerable (CVE-2023-22515) Atlassian Confluence Data Center server near the edge of their network. This vulnerability allows an attacker to gain unauthorized access to the administrative areas of a Confluence server.
In this specific client engagement, the cybercriminal gained initial access via the previously mentioned vulnerability and embedded a novel web shell into the Confluence server, which allowed them persistent access to every web page on the server without the need for a valid user account. Typical web shells encountered with Confluence exploits are uploaded via the Confluence Plugin ability, e.g., https://github.com/dubfr33/atlassian-webshell-plugin. Such web shells are only accessible if a user has signed into Confluence or if a single webpage of the web server has been hooked. The attacker must access the exact page of the web shell, for example, http://example.com/webshell.jsp.
The web shell encountered during Stroz Friedberg’s investigation, however, hijacks the underlying Apache Tomcat web server and silently inserts itself between Confluence and Tomcat–making itself available on every webpage, including the unauthenticated login page. The web shell does not make any changes to the webpages and allows requests to pass through it unnoticed until a request matches specific parameters.
Stroz Friedberg identified this web shell on public malware repositories with no detections, indicating others may be at risk of this malware. Given ongoing attacks against Confluence, this post aims to raise awareness and provide initial detection methods. Public analysis of the inner workings of the malware will be published at a later date.
Technical Overview
The web shell is split into two parts, a loader and payload. The loader acts as a normal Confluence plugin but utilizes a modified legitimate Java collections class, similar to IdentityHashMap, to hide its malicious payload. The loader is triggered via an overloaded equals() method, which decrypts the payload into a byte array containing a Java class, then loads that class via reflection—hence the raw Java class is never written to the filesystem. Once the payload is loaded, it runs a function which hides the plugin among Confluence “System Apps”, whereas a user-loaded plugin would normally be among “User-Installed Apps”.
The web shell traverses internal structures of the ServletContextFactory interface in order to locate and then add itself to Tomcat’s internal applicationEventListenersList. It implements a ServletRequestListener such that any request to the Confluence server passes through the web shell first, including all pages accessible to unauthenticated users. Because the web shell is available from the login page, attackers can trigger it without needing to maintain Confluence user access. The web shell itself takes no action unless a particular query parameter is supplied. When triggered, the web shell can execute any of the following functions (which closely align with a Godzilla webshell plugin):
- Create a new administrator account to gain full control over the system.
- Purge application logs to erase traces of unauthorized access.
- Run any command on the host server.
- Browse through the file system to inspect the structure and contents of directories.
- Delete any file on the server.
- Modify the timestamps of files to hide when they were last edited.
- Read the contents of any file.
- Edit any file, enabling the alteration of data or system settings.
- Enumerate all Confluence collaboration spaces, capturing details such as space name, date of creation, title, creator, recent modifiers, modification dates, and their respective URLs.
- Conceal unauthorized plugin uploads by misrepresenting them as official System Plugins rather than User Plugins.
- Extract detailed LDAP1 configurations, including various identifiers, statuses, encryption settings, descriptions, types, classes, creation and update dates, permissible operations, and custom LDAP attributes specified within Confluence.
- Acquire comprehensive information on configured mail servers, including names, protocols, host details, ports, login credentials, descriptions, and proxy configurations.
- Collect environmental variables from the server, which may reveal system configuration and sensitive information.
- Compile extensive user information such as usernames, full names, email addresses, the encryption status of credentials, actual user credentials, contact numbers, instant messaging handles, job titles, departments, locations, login frequency, account statuses, group memberships, and associated directory IDs.
- Deploy additional plugins that could offer more features or vulnerabilities to exploit.
- Remove users from Confluence.
- Search and retrieve specific content from within Confluence pages, potentially accessing confidential or proprietary information.
- Uninstall plugins.
- Change user passwords, allowing for unauthorized access to user accounts.
- Log usernames and passwords utilized during login attempts, which could be used for further unauthorized access to systems and data.
Preliminary Detection
To assist in identifying this web shell in an environment, the below includes multiple detections for this web shell. Please take note: at this time, patching Confluence to address CVE-2023-22515 and CVE-2023-22518 will not remediate the web shell if it has been deployed.
Endpoint Detection Response/File Integrity Monitoring
This detection looks for plugins created in the Atlassian plugin directories. This will only identify whether a plugin was installed and not whether the plugin is malicious. To identify if a plugin was installed, look for files with a “.jar” extension in any of the following directories:
- <confluence_install_dir>/temp/
- <confluence_app_dir>/application_data/plugins-osgi-cache/transformed-plugins/
- <jira_app_dir>/application_data/plugins/installed-plugins/
- <bitbucket_app_dir>/application_data/shared/plugins/installed-plugins/
Due to the customizable nature of Confluence installations, it is prudent to check other Confluence related directories including plugin-cache and bundled-plugins.
Web Log Analysis
Detecting usage of this web shell depends on review of the web server access logs. Due to the method the web shell uses, there are no obvious Indicators of Compromise (IOCs) in the web logs to detect usage of the web shell. However, one may be able to find potential usage by reviewing access to static Confluence pages, such as “/login.action”, where the response size varies. For example, the following screenshot shows successful access to “/login.action” with response sizes that vary between 826 to 2574 bytes:
Figure 1. Examples of malicious requests from logs located at /opt/atlassian/confluence/logs/conf_access_log.log
While we are still gathering information about this particular malware, as an early point of note – Stroz Friedberg recommends baselining your environment to find the normal range of response sizes for the environment to find the abnormal response sizes.
Yara Rule Over Memory
Detection of the web shell via this method relies on a memory capture from the server. Stroz Friedberg developed the following Yara rule which can detect the web shell in the preserved memory image:
rule ConfluencePageIndicator { meta: description = "Detects strings indicative of a web shell in Confluence page" author = "Stroz Friedberg" date = "2023-11-06" strings: $confluence_title = "" ascii wide $hide_plugin_function = "hidePlugin(" ascii wide $system_plugin_key = "ALWAYS_SYSTEM_PLUGIN_KEYS" ascii wide $dashes = " ----- " ascii wide condition: $confluence_title and $hide_plugin_function and $dashes and $system_plugin_key}
Beyond Confluence
Stroz Friedberg has not thoroughly tested to what extent this novel malware is applicable to other Atlassian products. Several of the web shell functions depend on Confluence-specific APIs. However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, BitBucket, or other Atlassian products where an attacker can install the plugin.
If you suspect you are compromised or need assistance in assessing compromise, please call our Incident Response hotline. If you are from a Law Enforcement Agency or Endpoint Detection and Response vendor and wish for more details, please contact us.