Last updated at Tue, 27 Feb 2024 17:16:10 GMT
*Rapid7 事件响应 consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7事件响应被用于调查一起涉及未经授权访问两个面向公众的Confluence服务器的事件,这两个服务器是多个恶意软件执行的来源. Rapid7 identified evidence of exploitation for cve - 2023 - 22527 在可用的汇合日志中. 在调查过程中, Rapid7在范围内服务器上识别了加密挖掘软件和Sliver命令与控制(C2)有效载荷. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. 银色有效载荷用于在环境中执行后续威胁行为者目标. 没有适当的安全工具来监视系统网络流量和防火墙通信, this activity would have progressed undetected leading to further compromise.
Rapid7客户
Rapid7始终监控 紧急的威胁 to identify areas for new detection opportunities. 最近出现的silver C2恶意软件促使Rapid7团队对正在使用的技术和潜在风险进行了彻底的分析. Rapid7 insighttidr有一个警报规则 可疑Web请求-可能利用Atlassian Confluence cve - 2023 - 22527 available for all IDR customers to detect the usage of the text-inline.vm consistent with the exploitation of cve - 2023 - 22527. A 漏洞检查 is also available to InsightVM and Nexpose customers. 一个用于寻找Confluence cve - 2023 - 22527漏洞证据的快速盗龙神器可以在快速盗龙神器交易所获得 here. 阅读Rapid7的博客 cve - 2023 - 22527.
观察到的攻击者行为
Rapid7 IR通过对两个受影响的面向公众的Confluence服务器上的可用取证文物进行分类,开始了调查. 这些服务器都运行着易受攻击的Confluence软件版本,这些版本被滥用来获取远程代码执行(RCE)功能. Rapid7 reviewed server access logs to identify the presence of suspicious POST requests consistent with known vulnerabilities, including cve - 2023 - 22527. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm component of Confluence by sending a modified POST request to the server.
Evidence showed multiple instances of exploitation of this CVE, however, 在访问日志中记录的标准标头信息中无法找到嵌入式命令的证据. 不能检查包捕获(PCAP)以识别嵌入命令, 但是已经确定的 POST requests are consistent with the exploitation of the CVE.
以下是在访问日志中发现的一些利用Confluence CVE的示例:
| Access.log Entry |
|---|
| POST /模板/ aui / text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit / 537.36 (KHTML,像壁虎)Chrome/89.0.4389.114 Safari / 537.36 |
| POST /模板/ aui / text-inline.vm HTTP/1.7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,像Gecko)版本/12.0.3 Safari / 605.1.15 |
| POST /模板/ aui / text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0)壁虎/20100101火狐/121.0 |
证据显示执行死刑 curl 命令后利用CVE导致将加密恶意软件投放到系统中. 对Confluence服务器的恶意POST请求关联的IP地址与识别出的IP地址匹配 curl command. 这表明被丢弃的加密恶意软件与Confluence CVE利用直接相关.
作为执行的结果 curl 命令、文件 w.sh 是写给 /tmp/ 系统上的目录. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. 然后bash脚本执行 wget 命令下载 javs.tar.gz 从IP地址 38.6.173[.]11 over port 80. 该文件被识别为 XMRigCC 加密挖矿恶意软件,导致系统资源利用率与加密挖矿活动一致. Service javasgs_miner.service was created on the system and set to run as root to ensure persistence.
The following is a snippet of code contained within w.sh 定义用于下载和执行XMRigCC二进制文件的通信参数.
Rapid7 found additional log evidence within Catalina.log 在HTTP响应头中引用上述文件的下载. 此响应注册为“无效”,因为它包含无法准确解释的字符. Evidence confirmed the successful download and execution of the XMRigCC miner, 因此,上述Catalina日志可能对分析人员识别企图或成功利用的额外证据有用.
| Catalina日志条目 |
|---|
| WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... ] has been removed from the response because it is invalid |
Rapid7随后将重点转移到开始检查两个服务器上的系统网络连接. Evidence showed an active connection with known-abused IP address 193.29.13[.]179 通过端口通信 8888 从两个服务器. netstat command output showed that the network connection’s source program was called X-org 并且位于系统的 /tmp directory. 根据防火墙日志, 从这个服务器到恶意IP地址的第一个被识别的通信与被识别的时间戳一致 X-org 文件创建. Rapid7识别了另一个驻留在备用服务器上的恶意文件 X0 这两个文件共享相同的SHA256哈希,表明它们是相同的二进制. The hash for these files has been provided below in the IOCs section.
对防火墙日志的检查提供了受影响系统和恶意IP地址之间通信的全面视图. 防火墙日志过滤了受损服务器和恶意IP地址之间的流量,显示入站和出站数据传输与已知的C2行为一致. Rapid7解码并调试了silver有效负载,以提取任何可用的妥协指标(ioc)。. Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179 会通过港口进行通信 8888 using the mTLS 认证协议.
After Sliver first communicated with the established C2, 检查本地系统上与当前会话关联的用户名, read etc/passwd and 等/ machine-id and then communicated back with the C2 again. 的内容 passwd and machine-id provide system information such as the hostname and any account on the system. 发现来自系统的缓存凭据与进一步支持此凭据访问的出站C2流量相关联. 此活动与GitHub版本中提供的标准功能一致 here.
The 银C2连接 was later used to execute wget 用于下载的命令 Kerbrute, Traitor, and Fscan 到服务器. Kerbute 是从 dev/shm 并且通常用于通过Kerberos预身份验证暴力破解和枚举有效的Active Directory帐户. The Traitor 二进制文件从 var/tmp directory which contains the functionality to leverage Pwnkit and Dirty Pipe 从系统的证据中可以看出. Fscan 是从 var/tmp 带有文件名的目录 f and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. 在环境中没有确定其他开发后目标.
缓解指导
To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:
-
确保在面向公众的服务器上关闭不必要的端口和服务.
-
所有面向公众的服务器都应该定期打补丁,并使用最新的软件版本.
-
应该将环境防火墙日志聚合到一个集中的安全解决方案中,以便检测异常的网络通信.
-
应该实现防火墙规则来拒绝来自未经批准的地理位置的入站和出站流量.
-
托管web应用程序的面向公众的服务器应该实现一个受限制的shell, 在可能的情况下, 与标准bash shell相比,限制可用命令的功能和范围.
MITRE ATT&CK技术
| Tactics | Techniques | Details |
|---|---|---|
| 指挥与控制 | 应用层协议(T1071) | 银C2连接 |
| Discovery | 发现域帐号(T1087) | Kerbrute enumeration of Active Directory |
| 侦察 | 主动扫描(T1595) | Fscan枚举 |
| 特权升级 | 设置id和设置gid (T1548.001) | 叛徒特权升级 |
| Execution | Unix Shell (T1059).004) | The Sliver payload and follow-on command executions |
| 凭据访问 | 蛮力(T1110) | Kerbrute Active Directory brute force component |
| 凭据访问 | 操作系统凭证转储(T1003).008) | Extracting the contents of /etc/passwd file |
| Impact | 资源劫持(T1496) | 执行密码挖掘软件 |
| 首次访问 | Exploit Public-Facing Application (T1190) | Evidence of text-inline abuse within Confluence logs |
妥协指标
| Attribute | Value | Description |
|---|---|---|
| 文件名和路径 | /dev/shm/traitor-amd64 | 特权升级二进制文件 |
| SHA256 | fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 | 叛徒二进制的哈希 |
| 文件名和路径 | /var/tmp/kerbrute_linux_amd64 | Kerbrute enumeration of Active Directory |
| SHA256 | 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | Kerbrute二进制的哈希值 |
| 文件名和路径 | /var/tmp/f | Fscan枚举 |
| SHA256 | b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 | Fscan二进制的哈希值 |
| 文件名和路径 | /tmp/X0 | 条子二进制 |
| SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
| 文件名和路径 | /tmp/X-org | 条子二进制 |
| SHA256 | 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
| IP Address | 193.29.13.179 | silver C2 IP地址 |
| 文件名和路径 | /tmp/w.sh | XMrigCC cryptominer的Bash脚本 |
| SHA256 | 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 | bash脚本的散列 |
| 文件名和路径 | /tmp/javs.tar.gz | 压缩的加密安装文件 |
| SHA256 | ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b | 加密安装文件的哈希值 |
| 基于国际奥委会 | “后/模板/ aui / text-inline.vm HTTP/1.0 200" followed by GET request containing curl | Exploit behavior within Confluence access.log |
| IP Address | 195.80.148.18 | IP address associated with exploit behavior of text-inline followed by curl |
| IP Address | 103.159.133.23 | IP address associated with exploit behavior of text-inline followed by curl |
