新型网络威胁：Effluence后门持续威胁Confluence服务器

Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.

网络安全研究人员发现了一个名为Effluence的隐秘后门，该后门在成功利用最近披露的Atlassian Confluence Data Center和Server的安全漏洞后部署。

"The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services said in an analysis published earlier this week.

“该恶意软件充当持久性后门，对Confluence应用程序的补丁并不起作用，” Aon的Stroz Friedberg Incident Response Services在本周早些时候发表的分析中说。

"The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence."

“该后门除了从Confluence中窃取数据外，还提供了横向移动到其他网络资源的能力。重要的是，攻击者可以远程访问后门而无需对Confluence进行身份验证。”

The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.

网络安全实体记录的攻击链包括利用CVE-2023-22515（CVSS评分：10.0），这是Atlassian中的一个关键漏洞，可被滥用以创建未经授权的Confluence管理员帐户并访问Confluence服务器。

Atlassian has since disclosed a second flaw known as CVE-2023-22518 (CVSS score: 10.0) that an attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability.

此后，Atlassian披露了第二个已知漏洞，称为CVE-2023-22518（CVSS评分：10.0），攻击者还可以利用该漏洞建立一个恶意管理员帐户，导致完全的机密性、完整性和可用性丧失。

What makes the latest attack stand out is that the adversary gained initial access via CVE-2023-22515 and embedded a novel web shell that grants persistent remote access to every web page on the server, including the unauthenticated login page, without the need for a valid user account.

使最新的攻击脱颖而出的是对手通过CVE-2023-22515获得了初始访问权限，并嵌入了一个新型的Web shell，该Web shell授予对服务器上每个网页的持久远程访问权限，包括未经身份验证的登录页面，而无需有效的用户帐户。

The web shell, made up of a loader and payload, is passive, allowing requests to pass through it unnoticed until a request matching a specific parameter is provided, at which point it triggers its malicious behavior by executing a series of actions.

该Web shell由加载器和有效载荷组成，是被动的，允许请求不被注意地通过，直到提供与特定参数匹配的请求，此时它通过执行一系列操作触发其恶意行为。

This comprises creating a new admin account, purging logs to cover up the forensic trail, running arbitrary commands on the underlying server, enumerating, reading, and deleting files, and compiling extensive information about the Atlassian environment.

这包括创建新的管理员帐户，清除日志以掩盖法庭追踪，对底层服务器运行任意命令，枚举、读取和删除文件，并编译有关Atlassian环境的详细信息。

The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload.

根据Aon的说法，加载器组件充当普通的Confluence插件，负责解密和启动有效载荷。

"Several of the web shell functions depend on Confluence-specific APIs," security researcher Zachary Reichert said.

安全研究人员Zachary Reichert表示：“Web shell的几个功能依赖于Confluence特定的API。”

"However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin."

“然而，插件和加载器机制似乎仅依赖于常见的Atlassian API，并且可能适用于JIRA、Bitbucket或其他攻击者可以安装插件的Atlassian产品。”