最后更新于2024年2月27日星期二17:16:10 GMT
*快速7事件响应顾问Noah Hemker, 泰勒斯塔克斯, 恶意软件分析师汤姆·埃尔金斯为本博客提供了分析和见解.*
Rapid7 事件响应 was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7发现了利用的证据 cve - 2023 - 22527 在可用的汇合日志中. 在调查过程中, Rapid7 identified cryptomining software and a Sliver 指挥与控制 (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, 它也经常被威胁行为者滥用. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, 这种活动会在不被发现的情况下进行,导致进一步的妥协.
Rapid7客户
Rapid7始终监控 紧急的威胁 确定有新的检测机会的领域. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 insighttidr有一个警报规则 Suspicious Web Request - Possible Atlassian Confluence cve - 2023 - 22527 Exploitation
的使用情况,所有IDR客户都可以使用 text-inline.vm
与cve - 2023 - 22527漏洞一致. A 漏洞检查 也适用于InsightVM和expose客户. A Velociraptor artifact to hunt for evidence of Confluence cve - 2023 - 22527 exploitation is available on the Velociraptor Artifact Exchange here. 阅读Rapid7的博客 cve - 2023 - 22527.
观察到的攻击者行为
Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7审查了服务器访问日志,以识别可疑的存在 POST
请求与已知漏洞一致,包括 cve - 2023 - 22527
. 此漏洞是一个严重的OGNL注入漏洞,它滥用了 text-inline.vm
通过向服务器发送修改后的POST请求来修改Confluence的组件.
证据显示有多个实例利用了该CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, 但是已经确定的 POST
请求与CVE的利用一致.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:
Access.log Entry |
---|
POST /模板/ aui / text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit / 537.36 (KHTML,像壁虎)Chrome/89.0.4389.114 Safari / 537.36 |
POST /模板/ aui / text-inline.vm HTTP/1.7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,像Gecko)版本/12.0.3 Safari/605.1.15 |
POST /模板/ aui / text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0)壁虎/20100101火狐/121.0 |
证据显示执行死刑 curl
command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl
command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
作为执行的结果 curl
命令、文件 w.sh
是写给 /tmp/
系统上的目录. 该文件是一个bash脚本,用于枚举操作系统, 下载密码挖掘安装文件, 然后执行加密挖矿二进制文件. 然后bash脚本执行 wget
命令下载 javs.tar.gz
从IP地址 38.6.173[.]11
over port 80
. 该文件被识别为 XMRigCC
cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service
是否在系统上创建并设置为以root身份运行以确保持久化.
中包含的代码片段 w.sh
defining communication parameters for the downloading and execution of the XMRigCC binary.
Rapid7在里面发现了额外的日志证据 Catalina.log
that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. 证据证实了XMRigCC矿机的成功下载和执行, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.
Catalina日志条目 |
---|
警告[http-nio-8090-exec-239 url: /rest/table-filter/.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.preerresponse HTTP响应头[X-Cmd-Response],值为[HTTP://38.6.173.11 / xmrigCC-3.4.0-linux-generic-static-amd64.tar.广州xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... 已从响应中删除,因为它无效 |
Rapid7 then shifted focus to begin a review of system network connections on both servers. 证据显示有一个已知被滥用IP地址的活跃连接 193.29.13[.]179
通过端口通信 8888
从两个服务器. netstat
命令输出显示网络连接的源程序被调用 X-org
并且位于系统的 /tmp
directory. 根据防火墙日志, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org
文件创建. Rapid7 identified another malicious file residing on the secondary server named X0
Both files shared the same SHA256 hash, indicating that they are the same binary. 这些文件的散列已在下面的ioc部分中提供.
A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available 妥协指标 (IOCs). 在silver有效载荷中,Rapid7确认了以下IP地址 193.29.13[.]179
会通过港口进行通信 8888
using the mTLS
认证协议.
在silver第一次与C2沟通之后, it checked the username associated with the current session on the local system, read etc/passwd
and 等/ machine-id
然后再次与C2沟通. 的内容 passwd
and machine-id
提供系统信息,如主机名和系统上的任何帐户. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.
稍后将使用silver C2连接执行 wget
用于下载的命令 Kerbrute
, Traitor
, and Fscan
到服务器. Kerbute
是从 dev/shm
and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor
二进制文件从 var/tmp
目录,其中包含要利用的功能 Pwnkit
and Dirty Pipe
从系统的证据中可以看出. Fscan
是从 var/tmp
带有文件名的目录 f
并执行扫描以枚举环境中存在的系统. Rapid7执行了遏制措施,以阻止任何进一步的威胁行为者活动. No additional post-exploitation objectives were identified within the environment.
缓解指导
以减轻本博客中概述的攻击者行为, 应考虑以下缓解技术:
-
Ensure that unnecessary ports and services are disabled on publicly-facing servers.
-
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
-
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
-
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
-
Publicly-facing servers hosting web applications should implement a restricted shell, 在可能的情况下, to limit the capabilities and scope of commands available when compared to a standard bash shell.
MITRE ATT&CK技术
Tactics | Techniques | Details |
---|---|---|
指挥与控制 | 应用层协议(T1071) | 银C2连接 |
Discovery | 发现域帐号(T1087) | 活动目录的Kerbrute枚举 |
侦察 | 主动扫描(T1595) | Fscan枚举 |
特权升级 | 设置id和设置gid (T1548.001) | 叛徒特权升级 |
Execution | Unix Shell (T1059).004) | silver有效载荷和后续命令执行 |
凭据访问 | 蛮力(T1110) | Kerbrute活动目录暴力破解组件 |
凭据访问 | 操作系统凭证转储(T1003).008) | 提取/etc/passwd文件的内容 |
Impact | 资源劫持(T1496) | 执行密码挖掘软件 |
首次访问 | 利用面向公众的应用程序(T1190) | 合流日志中文本内联滥用的证据 |
妥协指标
Attribute | Value | Description |
---|---|---|
文件名和路径 | /dev/shm/traitor-amd64 | 特权升级二进制文件 |
SHA256 | fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 | 叛徒二进制的哈希 |
文件名和路径 | /var/tmp/kerbrute_linux_amd64 | 活动目录的Kerbrute枚举 |
SHA256 | 710年a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | Kerbrute二进制的哈希值 |
文件名和路径 | /var/tmp/f | Fscan枚举 |
SHA256 | b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 | Fscan二进制的哈希值 |
文件名和路径 | /tmp/X0 | 条子二进制 |
SHA256 | 29 bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
文件名和路径 | /tmp/X-org | 条子二进制 |
SHA256 | 29 bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 | 银二进制的哈希值 |
IP Address | 193.29.13.179 | silver C2 IP地址 |
文件名和路径 | /tmp/w.sh | XMrigCC cryptominer的Bash脚本 |
SHA256 | 8 d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 | bash脚本的散列 |
文件名和路径 | /tmp/javs.tar.gz | 压缩的加密安装文件 |
SHA256 | ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b | 加密安装文件的哈希值 |
基于国际奥委会 | “后/模板/ aui / text-inline.vm HTTP/1.0 200”,后面跟着包含curl的GET请求 | 利用Confluence访问中的行为.log |
IP Address | 195.80.148.18 | 与利用文本内联和curl相关的IP地址 |
IP Address | 103.159.133.23 | 与利用文本内联和curl相关的IP地址 |