Security News > 2022 > August > Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage
A threat actor is said to have "Highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.
"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory," the company said.
"After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment."
The Atlassian vulnerability suspected to have been exploited is CVE-2022-26134, an Object-Graph Navigation Language injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.
The attack chain is also notable for the deployment of a previously undocumented implant called Ljl Backdoor on the compromised server.
"The victim denied the threat actor the ability to laterally move within the environment by taking the server offline, potentially preventing the exfiltration of additional sensitive data and restricting the threat actor(s) ability to conduct further malicious activities."
News URL
https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html
Related news
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
- Hackers Weaponize Visual Studio Code Remote Tunnels for Cyber Espionage (source)
- Winnti hackers target other threat actors with new Glutton PHP backdoor (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-03 | CVE-2022-26134 | Expression Language Injection vulnerability in Atlassian Confluence Data Center and Confluence Server In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. | 9.8 |