HQ/EMEAFind out how we can help your business
The Effluence backdoor is a tool that exploits a severe vulnerability in the Atlassian Confluence that remained unresolved despite the recently released patch to address it. Researchers explained that Effluence is a stealthy backdoor that could evade remediation through conventional patching measures.
The malware’s persistence is alarming since it could enable its operators laterally move within networks and facilitate the unauthorised exfiltration of sensitive data from Confluence. However, the most concerning factor about this malicious tool is that attackers can remotely access the backdoor without authenticating to Confluence.
The Effluence backdoor operators exploit a severe flaw in Atlassian Confluence.
According to investigations, the hackers using the Effluence backdoor exploit CVE-2023-22515, a critical vulnerability in Atlassian Confluence with a CVSS score of 10.0. This vulnerability allows malicious actors to create unauthorised admin accounts and acquire access to Confluence servers.
Despite efforts to address this vulnerability, Atlassian later revealed another critical flaw, CVE-2023-22518, with a CVSS score of 10.0. This flaw enables attackers to establish a rogue administrator account, resulting in a complete compromise of confidentiality, integrity, and availability.
Subsequently, the attackers deploy a novel web shell that grants persistent remote access to every web page on the server. This tactic includes the unauthenticated login page, eliminating the need for a valid user account.
The web shell consists of a loader and payload, operating passively until activated by a specific parameter. Once activated, it initiates malicious actions such as creating a new admin account, purging logs to erase the forensic trail, executing arbitrary commands on the server, and collecting information about the Atlassian environment.
Researchers emphasised that while several web shell functions rely on Confluence-specific APIs, the plugin and loader mechanisms only depend on common Atlassian APIs. This detail raises concerns about the potential applicability of the threat to other Atlassian products like JIRA and Bitbucket, where an attacker can install the plugin.
These discoveries show that cybersecurity threats could persist and evolve during patches and fixes. Businesses and organisations should obtain a proactive and comprehensive cybersecurity strategy crucial to protecting sensitive data and maintaining the integrity of critical systems.
