Security News > 2023 > November > Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers

Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers
2023-11-10 08:58

Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.

"The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services said in an analysis published earlier this week.

"The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence."

The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515, a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.

The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload. "Several of the web shell functions depend on Confluence-specific APIs," security researcher Zachary Reichert said.

"However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin."


News URL

https://thehackernews.com/2023/11/alert-effluence-backdoor-persists.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-04 CVE-2023-22515 Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
network
low complexity
atlassian
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 56 275 59 36 426