A threat actor, TAC-040, is believed to have abused a flaw in an Atlassian Confluence server to deploy a new backdoor in the networks of the critical services sector.
The attack that lasted a week
Researchers from Deepwatch analyzed the attack that was active for around seven days during the end of May.
- Around 700MB of archived data is believed to be exfiltrated before the server was taken offline by the victim.
- The attack used never-seen-before malware that is named the Ljl backdoor.
- The attacker ran malicious commands with a parent process (tomcat9[.]exe) inside the Confluence directory.
- After the initial compromise, it ran various commands to catalog the network, local system, and Active Directory.
The researchers spotted a presence of XMRig cryptominer on the compromised system. Additionally, one of the Monero addresses owned by the attackers netted at least 652 XMR ($106,000).
Who are the targets?
The attacks targeted organizations doing research in healthcare, international development, education, environment, agriculture, and firms providing technical services.
Ljl Backdoor
- The backdoor is a feature-rich trojan virus developed to collect files and user accounts, load arbitrary DotNET payloads, and gather system information and the victim's geographic location.
- The backdoor comes with several capabilities. It can act as a reverse proxy, query whether the victim is active or idle, exfiltrate files/directories, and get the foreground window and window text.
Exploited flaws
Deepwatch said that the breach could have happened by exploiting any of these flaws:
- CVE-2022-26134, an Object-Graph Navigation Language injection flaw that allows arbitrary code execution on a Confluence Data Center or Server instance.
- Another possibility is the exploitation of Spring4Shell vulnerability (CVE-2022-22965) to gain initial access to the Confluence web application.
Conclusion
Though the attacks involved the use of XMRig miner, the TAC-040 group is believed to have conducted a cyberespionage operation. Organizations are recommended to perform a routine check-up for their security posture and integrate intelligent security solutions as per their needs.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d31c_shutterstock_503287012.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2f65_shutterstock_1932928271.jpg)
