SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Public exploit code worsens Atlassian Confluence vulnerability scenario
Description: Threat actors continue to target unpatched versions of Atlassian Confluence with public exploits. The vulnerability, CVE-2022-26134, initially arrived as a zero-day last week that affects all versions of the popular collaboration tool. If exploited, the attacker could completely take over the host and execute remote code on the targeted machine. The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations. Although a patch is publicly available, many instances of the software remain unpatched.
Snort SIDs: 59925-59934
Title: ChinaChopper web shell pops up again on backs of Atlassian bugs
Description: The ChinaChopper web shell is being spread as part of the attacks exploiting the zero-day vulnerability in Atlassian Confluence. Attackers exploiting CVE-2022-26134 install ChinaChopper but rarely access it, leading researchers to believe that it’s being used as a source of backup access. The nearly 11-year-old malware allows attackers to retain access to an infected system using a client-side application that contains all the logic required to control the target. Cisco Talos has documented several instances of different threat groups using China Chopper. This web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.
Snort SIDs: 59928, 59931