Security News > 2023 > November > Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers

Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.

"The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services said in an analysis published earlier this week.

"The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence."

The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515, a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.

The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload. "Several of the web shell functions depend on Confluence-specific APIs," security researcher Zachary Reichert said.

"However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin."

News URL

https://thehackernews.com/2023/11/alert-effluence-backdoor-persists.html