Uninvited Guest: The Stealthy Backdoor Malware Crashing Your Confluence Server Party

Think your Confluence server is safer than a bank vault? Enter Effluence, the backdoor malware party-crasher. Without even needing to authenticate with Confluence, this stealthy cyber pest exploits your Atlassian products, becomes the life of your network party, and sneaks off with your precious data. Talk about a real Effluence Backdoor Atlassian Exploitation!

Hot Take:

Just when you thought your Confluence server was as secure as a nun’s diary, along comes Effluence, a backdoor malware that’s as stealthy as a cat burglar on a moonless night. So, even if you’ve patched up your Confluence, these cyber pests can sneak in undetected, have a party in your network, and sneak out again with all your juicy data. And the cherry on this not-so-sweet cybersecurity cake? They don’t even need to authenticate with Confluence to get in. Talk about crashing the party!

Key Points:

  • Cybersecurity researchers have found a new persistent backdoor malware named Effluence in Atlassian Confluence Data Center and Server.
  • This malware is not eradicated by simply patching Confluence and can provide attackers with access to the backdoor without the need to authenticate with Confluence.
  • Effluence can also facilitate lateral movement to other network resources and the exfiltration of data from Confluence.
  • The attack exploits a critical bug in Atlassian, CVE-2023-22515, which can be used to create unauthorized Confluence administrator accounts and access servers.
  • The malware includes a novel web shell that grants persistent remote access to every web page on the server, even without a valid user account.

Need to know more?

Enter the Backdoor

What sets this fresh hell apart from your garden-variety cyberattack is that the miscreants first gain access via the CVE-2023-22515 flaw and then plant a web shell that grants them a VIP pass to every webpage on your server. And they don't even need a ticket (read: valid user account) to get in!

Quiet as a Mouse

This web shell is as quiet as a library mouse, letting requests pass through unnoticed until someone hits the right note (a specific parameter), upon which it springs into action. Its party tricks include creating a new admin account, erasing its tracks, running arbitrary commands on the server, reading, deleting, and enumerating files, and gathering extensive information about the Atlassian environment.

The Master of Disguise

The loader component of this malware acts as a normal Confluence plugin and is responsible for decrypting and launching the payload. According to security researcher Zachary Reichert, several of the web shell functions depend on Confluence-specific APIs. However, the plugin and loader mechanism only require common Atlassian APIs, making them potentially applicable to other Atlassian products. So, it's not just your Confluence server you need to worry about; JIRA, Bitbucket, and other Atlassian products could also be at risk.
Tags: Atlassian Confluence, Data Exfiltration, Persistent Remote Access, Security Flaw Exploitation, server security, Stealthy Backdoor, web shell