Analyzing a Cerber Ransomware Attack via Confluence RCE Exploit (CVE-2023-22518) | Threat SnapShot

Поделиться
HTML-код
  • Опубликовано: 10 сен 2024
  • Confluence has been hit hard lately -- attackers are actively exploiting another vulnerability in Confluence Server that allows complete takeover from an unauthenticated account. In the case of CVE-2023-22518, a single POST request is made to the /json/setup-restore.action endpoint with a specified header of “X-Atlassian-Token”: “no-check”. This endpoint allows a Confluence administrator to restore the Confluence site from a specified backup zip directory. An attacker could easily upload a valid, harmful backup zip directory and proceed to restore the Confluence server to a state with known malicious content. Once administrative privileges are acquired through the introduction of an injected admin user, malicious actors have the freedom to deploy an Atlassian Web Shell plugin for remote code execution, extract confidential data from Confluence spaces, or install ransomware.
    In this Threat SnapShot, we'll take a look at how the Cerber ransomware operators are leveraging this Confluence vulnerability to infect victims. After successfully gaining access via the vulnerability, they use an encoded PowerShell command to download and execute a remote payload, which will then encrypt the files in the system and append the extension “.L0CK3D”. It will also drop a ransom note with the filename “read-me3.txt” in all directories where something was encrypted. We'll take a closer look at this infection chain, and discuss threat hunting and detection strategies.
    Resources:
    - www.trendmicro...
    - github.com/For...
    - app.snapattack... - Collection: CVE-2023-22518
    - app.snapattack... - Threat: Cerber Ransomware via Confluence CVE-2023-22518
    - app.snapattack... - Detection: Confluence Restore Exploitation
    - app.snapattack... - Detection: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
    - app.snapattack... - Detection: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
    - app.snapattack... - Detection: Cerber Powershell Stager
    - app.snapattack... - Detection: Webshell-Indicative Process Tree
    - app.snapattack... - Attack Script: CVE-2023-22518 Confluence Improper Authorization Traffic

Комментарии •

Следующие
Автовоспроизведение
It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot14:57It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot
It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShotSnapAttack
Просмотров 160
Untangling Scattered Spider's Web: Hunting for RMM Tools | Threat SnapShot15:25Untangling Scattered Spider's Web: Hunting for RMM Tools | Threat SnapShot
Untangling Scattered Spider's Web: Hunting for RMM Tools | Threat SnapShotSnapAttack
Просмотров 310
The Untold Story of VS Code12:42The Untold Story of VS Code
The Untold Story of VS CodeCodeSource
Просмотров 9 тыс.
iPhone 16: Should You Upgrade? (Made Easy)10:31iPhone 16: Should You Upgrade? (Made Easy)
iPhone 16: Should You Upgrade? (Made Easy)DailyTekk
Просмотров 73 тыс.
Aaron Rodgers throws for TD, INT in Jets MNF loss, did 49ers put league on notice? | THE FACILITY21:22Aaron Rodgers throws for TD, INT in Jets MNF loss, did 49ers put league on notice? | THE FACILITY
Aaron Rodgers throws for TD, INT in Jets MNF loss, did 49ers put league on notice? | THE FACILITYThe Facility
Просмотров 92 тыс.
10 Things You SHOULD Be Buying at Costco in September 202420:1010 Things You SHOULD Be Buying at Costco in September 2024
10 Things You SHOULD Be Buying at Costco in September 2024The Deal Guy
Просмотров 649 тыс.
Kendrick Lamar. Super Bowl LIX Halftime Show01:16Kendrick Lamar. Super Bowl LIX Halftime Show
Kendrick Lamar. Super Bowl LIX Halftime ShowKendrick Lamar
Просмотров 2,2 млн
Warren Buffett's Berkshire Hits $1 Trillion: But Why Is It Selling Stakes in Apple & BofA?11:22Warren Buffett's Berkshire Hits $1 Trillion: But Why Is It Selling Stakes in Apple & BofA?
Warren Buffett's Berkshire Hits $1 Trillion: But Why Is It Selling Stakes in Apple & BofA?Firstpost
Просмотров 93 тыс.
Renaissance of Terminal User Interfaces with Rust - FrOSCon 202453:23Renaissance of Terminal User Interfaces with Rust — FrOSCon 2024
Renaissance of Terminal User Interfaces with Rust - FrOSCon 2024Orhun Parmaksız
Просмотров 1,1 тыс.
Don't Learn Machine Learning, Instead learn this!6:21Don't Learn Machine Learning, Instead learn this!
Don't Learn Machine Learning, Instead learn this!Deepchand O A
Просмотров 3 тыс.
OpenSSH for Absolute Beginners23:00OpenSSH for Absolute Beginners
OpenSSH for Absolute BeginnersVeronica Explains
Просмотров 107 тыс.
Analyzing Ransomware - Beginner Static Analysis29:40Analyzing Ransomware - Beginner Static Analysis
Analyzing Ransomware - Beginner Static AnalysisMichael Gillespie
Просмотров 12 тыс.
House Dems to Trump: prove you didn't take a $10 million bribe from Egypt8:54House Dems to Trump: prove you didn't take a $10 million bribe from Egypt
House Dems to Trump: prove you didn't take a $10 million bribe from EgyptMSNBC
Просмотров 695 тыс.
I Wrote HTTP "From Scratch" (It Was Easy)19:07I Wrote HTTP "From Scratch" (It Was Easy)
I Wrote HTTP "From Scratch" (It Was Easy)Sean Bix
Просмотров 82 тыс.
ESXi Ransomware: Trends, Logging, and Detection | Threat SnapShot9:35ESXi Ransomware: Trends, Logging, and Detection | Threat SnapShot
ESXi Ransomware: Trends, Logging, and Detection | Threat SnapShotSnapAttack
Просмотров 915
ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot16:25ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShotSnapAttack
Просмотров 680
👊ЖЕСТКАЯ РУБКА КОСТЬ В КОСТЬ | ХОРОНЖЕНКО VS АГРЕССОР #mma #кулачка #мма #hardcore #хардкор #popmma00:11👊ЖЕСТКАЯ РУБКА КОСТЬ В КОСТЬ | ХОРОНЖЕНКО VS АГРЕССОР #mma #кулачка #мма #hardcore #хардкор #popmma
👊ЖЕСТКАЯ РУБКА КОСТЬ В КОСТЬ | ХОРОНЖЕНКО VS АГРЕССОР #mma #кулачка #мма #hardcore #хардкор #popmmaHFC Shorts
Просмотров 761 тыс.
Атака беспилотников на Подмосковье: главные детали. Удары по аэропортам и жилым домам в Раменском05:23Атака беспилотников на Подмосковье: главные детали. Удары по аэропортам и жилым домам в Раменском
Атака беспилотников на Подмосковье: главные детали. Удары по аэропортам и жилым домам в РаменскомНастоящее Время. Сюжеты
Просмотров 223 тыс.
Нельзя смеяться | Смех с водой | 78 #shorts00:57Нельзя смеяться | Смех с водой | 78 #shorts
Нельзя смеяться | Смех с водой | 78 #shortsКоммент.Шоу
Просмотров 471 тыс.
爸爸误以为钱生钱,怎料又被儿子套路了! #funny #萌娃 #comedy00:46爸爸误以为钱生钱,怎料又被儿子套路了! #funny #萌娃 #comedy
爸爸误以为钱生钱,怎料又被儿子套路了! #funny #萌娃 #comedy搞笑爸爸带俩娃
Просмотров 2,4 млн
Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shorts00:23Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shorts
Cool Items!🥰 New Gadgets, Smart Appliances, Kitchen Tools Utensils, Home Cleaning, Beauty #shortsCool Items Official
Просмотров 9 млн
Угадаете, с кем я провел целый день в Баку? 😉 #emin #baku #seabreeze #azerbaycan00:33Угадаете, с кем я провел целый день в Баку? 😉 #emin #baku #seabreeze #azerbaycan
Угадаете, с кем я провел целый день в Баку? 😉 #emin #baku #seabreeze #azerbaycanEminOfficial
Просмотров 63 тыс.
ПОСТОЯННИК ЛОМБАРДА #шоу #юмор #спб #фитнес #вау00:27ПОСТОЯННИК ЛОМБАРДА #шоу #юмор #спб #фитнес #вау
ПОСТОЯННИК ЛОМБАРДА #шоу #юмор #спб #фитнес #вауKURUCHBRO
Просмотров 213 тыс.
😲 Гаишник шокировал водителя Мерседеса такими новостями! | Новостничок00:26😲 Гаишник шокировал водителя Мерседеса такими новостями! | Новостничок
😲 Гаишник шокировал водителя Мерседеса такими новостями! | НовостничокНОВОСТНИЧОК
Просмотров 627 тыс.