Protection Against Exploitation
First and foremost, it is highly recommended that administrators follow all guidance from the vendor (Atlassian) and apply any and all patches as soon as possible if their deployed servers match the known affected versions. Please note that Confluence Cloud customers are not affected.In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
Preventative Rules, Filters & Detection
Trend Micro Cloud One - Workload Security and Deep Security IPS Rules- Rule 1005934 - Identified Suspicious Command Injection Attack
- Rule 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
Trend Micro Cloud One - Network Security and TippingPoint Digital Vaccine
- Filter 40260 - HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability
Trend Micro Deep Discovery Inspector
- Rule 4623 - CVE-2021-26084_HTTP_CONFLUENCE_OGNL_RCE_EXPLOIT_REQUEST_SB
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)
Malicious file samples associated with known exploits of this vulnerability are detected as:
Filename | SHA1 | VSAPI Detection | Predictive Learning | Pattern Number (VSAPI) |
---|---|---|---|---|
vmicguestvs.dll | 08f22c5fc0046af092c04917dddab5c2dc758767 | Trojan.Win64.TINYOMED.ZYII | Troj.Win32.TRX.XXPE50FFF047 | 16.945.00 |
x.bat | 9de8031b1018f9648547cda6d125bac4a9fbf03c | Trojan.BAT.TINYOMED.ZYII | 16.945.00 | |
unisntall.bat | 3a061abe6d7653f932096db6759f16a4d4a1b07c | Trojan.BAT.SVCLAUNCHER.ZYII | 16.945.00 | |
Jquery-3.3.1.min.js | d4efaf4e2d1dd23e40cb0a487a489c41364a4524 | Trojan.Win32.COBALT.SME.hp | 16.785.00(older detection) |
In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):
URL | Category |
---|---|
hxxp://213[.]152[.]165[.]29/ | C&C Server |
hxxp://213[.]152[.]165[.]30/ | C&C Server |
hxxp://213[.]152[.]165[.]29/x[.]bat | C&C Server |
hxxp://213[.]152[.]165[.]29/uninstall[.]bat | C&C Server |
hxxp://213[.]152[.]165[.]29/vmicguestvs[.]dll | C&C Server |
hxxp://213[.]152[.]165[.]30/vmicguestvs[.]dll | C&C Server |
Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.