Views:

Protection Against Exploitation

First and foremost, it is highly recommended that administrators follow all guidance from the vendor (Atlassian) and apply any and all patches as soon as possible if their deployed servers match the known affected versions.  Please note that Confluence Cloud customers are not affected.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
 

Preventative Rules, Filters & Detection

Trend Micro Cloud One - Workload Security and Deep Security IPS Rules
  • Rule 1005934 - Identified Suspicious Command Injection Attack
The following rule is a SMART rule that can be manually assigned to assist in protection/detection against suspicious Command Injection attacks which are said to be associated with this threat.  Please note that the rule is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this.
  • Rule 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
This rule is shipped in PREVENT mode by default and is included in the Recommendation Scan.


Trend Micro Cloud One - Network Security and TippingPoint Digital Vaccine
  • Filter 40260 - HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability

Trend Micro Deep Discovery Inspector
  • Rule 4623 - CVE-2021-26084_HTTP_CONFLUENCE_OGNL_RCE_EXPLOIT_REQUEST_SB

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Malicious file samples associated with known exploits of this vulnerability are detected as:
FilenameSHA1VSAPI DetectionPredictive LearningPattern Number (VSAPI)
vmicguestvs.dll08f22c5fc0046af092c04917dddab5c2dc758767Trojan.Win64.TINYOMED.ZYIITroj.Win32.TRX.XXPE50FFF04716.945.00
x.bat9de8031b1018f9648547cda6d125bac4a9fbf03cTrojan.BAT.TINYOMED.ZYII 16.945.00
unisntall.bat3a061abe6d7653f932096db6759f16a4d4a1b07cTrojan.BAT.SVCLAUNCHER.ZYII 16.945.00
Jquery-3.3.1.min.jsd4efaf4e2d1dd23e40cb0a487a489c41364a4524Trojan.Win32.COBALT.SME.hp 16.785.00(older detection)

In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):
URLCategory
hxxp://213[.]152[.]165[.]29/C&C Server
hxxp://213[.]152[.]165[.]30/C&C Server
hxxp://213[.]152[.]165[.]29/x[.]batC&C Server
hxxp://213[.]152[.]165[.]29/uninstall[.]batC&C Server
hxxp://213[.]152[.]165[.]29/vmicguestvs[.]dllC&C Server
hxxp://213[.]152[.]165[.]30/vmicguestvs[.]dllC&C Server


Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.
 

References