Hackers Exploit Atlassian Confluence Vulnerability to Deploy New ‘Ljl’ Backdoor

Security

Cybersecurity experts from Deepwatch spotted activity from threat actors (TA) that “highly likely” exploited a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed “Ljl” against a number of unnamed organizations.

Deepwatch’s Adversary Tactics and Intelligence group (ATI) described the findings in an advisory published on Tuesday.

After gaining initial access, the TA, dubbed TAC-040, would have run various commands to enumerate the local system, network and Active Directory environment. 

Additionally, Deepwatch said the TA likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives. 

According to network logs, TAC-040 exfiltrated a total of around 700 MBs of archived data before the victim took the server offline.

Before disconnecting, however, the TA would have dropped a never-before-seen backdoor, called “Ljl Backdoor” onto the compromised server.

“TAC-040 has the capability to create or access custom, never-before-seen malware,” the advisory reads.

In terms of the motifs behind the attacks, Deepwatch said they were likely espionage-related, but the company cannot completely rule out that they were financially motivated, since it said it also spotted a loader for an XMRig crypto miner on the system.

Targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services.

For context, the Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance.

The issue was addressed by Atlassian in June, but this is not the first time since then that unpatched systems get exploited by hackers.

For instance, in July Microsoft’s Security Intelligence team said it spotted a campaign by TA 8220 targeting i686 and x86_64 Linux systems that used RCE exploits for CVE-2022-26134 and CVE-2019-2725 (Oracle WebLogic) for initial access.

Products You May Like

Articles You May Like

CISA and EPA Warn of Cyber Risks to Water System Interfaces
LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
US Organizations Still Using Kaspersky Products Despite Ban

Leave a Reply

Your email address will not be published. Required fields are marked *