Rapid7 Incident Response investigated two exposed Confluence servers that were exploited via CVE-2023-22527, leading to remote code execution and the deployment of cryptomining and Sliver C2 payloads. The Sliver C2 was then used to fetch additional tooling (Kerbrute, Traitor, Fscan) and afford credential access, highlighting observable attacker behavior and guiding mitigations. #CVE-2023-22527 #Confluence #Sliver #XMRigCC #Kerbrute #Traitor #Fscan
Keypoints
- Two public-facing Confluence servers were abused to gain Remote Code Execution via CVE-2023-22527.
- A cryptomining malware (XMRigCC) was dropped and run, with a script in /tmp/w.sh facilitating the download and execution.
- A Sliver C2 payload was deployed and then used to download additional tooling (Kerbrute, Traitor, Fscan) via wget.
- Sliver established a C2 channel to 193.29.13.179:8888 using mTLS, and later queried system details (passwd, machine-id) for credential access.
- Evidence included Confluence access logs, Catalina logs, and firewall/netstat data linking artifacts to C2 activity.
- Mitigation guidance emphasizes closing unnecessary ports, patching publicly-facing servers, centralized logging, geolocation blocks, and restricted shells where possible.
MITRE Techniques
- [T1071] Application Layer Protocol – Sliver C2 connection – “The Sliver C2 connection was later used to execute wget commands used to download Kerbrute, Traitor, and Fscan to the servers.”
- [T1087] Domain Account Discovery – Kerbrute enumeration of Active Directory – “Kerbrute enumeration of Active Directory”
- [T1595] Active Scanning – Fscan enumeration – “Fscan enumeration”
- [T1548.001] Setuid and Setgid – Traitor privilege escalation – “Traitor privilege escalation”
- [T1059.004] Unix Shell – The Sliver payload and follow-on command executions – “The Sliver payload and follow-on command executions”
- [T1110] Brute Force – Kerbrute Active Directory brute force component – “Kerbrute Active Directory brute force component”
- [T1003.008] OS Credential Dumping – Extracting the contents of /etc/passwd file – “Extracting the contents of /etc/passwd file”
- [T1496] Resource Hijacking – Execution of cryptomining software – “Execution of cryptomining software”
- [T1190] Exploit Public-Facing Application – Evidence of text-inline abuse within Confluence logs – “Evidence of text-inline abuse within Confluence logs”
Indicators of Compromise
- [IP Address] Sliver C2 IP address – 193.29.13.179, 38.6.173.11
- [Filename and Path] /dev/shm/traitor-amd64 – Traitor binary
- [SHA256] fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 – Traitor binary
- [Filename and Path] /var/tmp/kerbrute_linux_amd64 – Kerbrute binary
- [SHA256] 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a – Kerbrute binary
- [Filename and Path] /var/tmp/f – Fscan binary
- [SHA256] b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 – Fscan binary
- [Filename and Path] /tmp/X0 – Sliver binary
- [Filename and Path] /tmp/X-org – Sliver binary
- [SHA256] 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 – Sliver binary
- [IP Address] 193.29.13.179 – Sliver C2 IP address
- [Filename and Path] /tmp/w.sh – Bash script for XMrigCC cryptominer
- [SHA256] 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 – Bash script
- [Filename and Path] /tmp/javs.tar.gz – Compressed crypto installation files
- [SHA256] ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b – Crypto installation files
- [Log-Based IOC] “POST /template/aui/text-inline.vm HTTP/1.0 200” followed by GET request containing curl – Exploit behavior within Confluence access.log
- [IP Address] 195.80.148.18 – IP associated with exploit behavior of text-inline followed by curl
- [IP Address] 103.159.133.23 – IP associated with exploit behavior of text-inline followed by curl
Read more: https://www.rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/