Friend
Professional
- Messages
- 2,653
- Reaction score
- 860
- Points
- 113
Traditional antiviruses are powerless against attacks on servers.
Trend Micro researchers have documented the exploitation of the CVE-2023-22527 vulnerability, which is used to compromise Atlassian servers by installing the Godzilla backdoor.
A CVSS 10.0 bug found in Confluence Data Center and Confluence Server products could allow attackers to execute arbitrary code on vulnerable servers, which could compromise the entire system. Despite the fact that the vulnerability has already been fixed, it is also used to install miners.
During the investigation of the attack, it was revealed that the attackers download malware to the Atlassian server, which then downloads the Godzilla web shell. The web shell was developed by a Chinese user under the pseudonym "BeichenDream" and is designed to bypass traditional defenses. The main advantage of Godzilla is the use of AES encryption, which makes it much more difficult to detect.
The attack begins with the use of the CVE-2023-22527 vulnerability, through which attackers execute malicious code. After the initial download of the malicious code, a complex multi-stage attack chain begins to be executed, involving the injection of special code into the server's RAM. The code allows hackers to inject their own classes and methods, ensuring constant access to the infected server.
One of the features of the attack is the use of Fileless malware techniques, when malicious code is executed exclusively in RAM, which makes detection and elimination especially difficult. Such an attack can go undetected if organizations rely on outdated protection methods, including signature-based antivirus.
Trend Micro emphasizes that Atlassian Confluence users should apply patches immediately to prevent potential attacks. To do this, it is important not only to regularly update the software, but also to use modern security tools that can detect and prevent such attacks.
The Godzilla web shell has been seen in attacks before. For example, during the exploitation of a vulnerability in Apache ActiveMQ. Godzilla allowed you to take full control of the target host, making it easier to execute arbitrary shell commands, view network information, and perform file management operations.
Source
Trend Micro researchers have documented the exploitation of the CVE-2023-22527 vulnerability, which is used to compromise Atlassian servers by installing the Godzilla backdoor.
A CVSS 10.0 bug found in Confluence Data Center and Confluence Server products could allow attackers to execute arbitrary code on vulnerable servers, which could compromise the entire system. Despite the fact that the vulnerability has already been fixed, it is also used to install miners.
During the investigation of the attack, it was revealed that the attackers download malware to the Atlassian server, which then downloads the Godzilla web shell. The web shell was developed by a Chinese user under the pseudonym "BeichenDream" and is designed to bypass traditional defenses. The main advantage of Godzilla is the use of AES encryption, which makes it much more difficult to detect.
The attack begins with the use of the CVE-2023-22527 vulnerability, through which attackers execute malicious code. After the initial download of the malicious code, a complex multi-stage attack chain begins to be executed, involving the injection of special code into the server's RAM. The code allows hackers to inject their own classes and methods, ensuring constant access to the infected server.
One of the features of the attack is the use of Fileless malware techniques, when malicious code is executed exclusively in RAM, which makes detection and elimination especially difficult. Such an attack can go undetected if organizations rely on outdated protection methods, including signature-based antivirus.
Trend Micro emphasizes that Atlassian Confluence users should apply patches immediately to prevent potential attacks. To do this, it is important not only to regularly update the software, but also to use modern security tools that can detect and prevent such attacks.
The Godzilla web shell has been seen in attacks before. For example, during the exploitation of a vulnerability in Apache ActiveMQ. Godzilla allowed you to take full control of the target host, making it easier to execute arbitrary shell commands, view network information, and perform file management operations.
Source
