Filename

SHA1

VSAPI Detection

Predictive Learning

Pattern Number (VSAPI)

vmicguestvs.dll

08f22c5fc0046af092c04917dddab5c2dc758767

Trojan.Win64.TINYOMED.ZYII

Troj.Win32.TRX.XXPE50FFF047

16.945.00

x.bat

9de8031b1018f9648547cda6d125bac4a9fbf03c

Trojan.BAT.TINYOMED.ZYII

16.945.00

unisntall.bat

3a061abe6d7653f932096db6759f16a4d4a1b07c

Trojan.BAT.SVCLAUNCHER.ZYII

16.945.00

Jquery-3.3.1.min.js

d4efaf4e2d1dd23e40cb0a487a489c41364a4524

Trojan.Win32.COBALT.SME.hp

16.785.00(older detection)

URL

SECURITY ALERT: Mass Exploitation of Atlassian Confluence (CVE-2021-26084)

Product / Version includes:

Last updated: 2021/09/09

Solution ID: KA-0012323

Category: Remove a Malware / Virus

Summary

Sept 8th Update: New Deep Discovery Inspector (DDI) rule

On August 25, 2021, Atlassian released a security advisory and associated patches for several on-premise versions of its popular Confluence Server and Data Center products to address a Remote Code Execution (RCE) vulnerability (CVE-2021-26084). This vulnerability is said to potentially allow unauthenticated attackers to remotely execute command on affected servers and is rated as CRITICAL (CVSSv3 9.8).

On September 3, 2021, the United States Cyber Command (USCYBERCOMM) issued a public alert recommending that administrators prioritize their efforts to patch their servers as soon as possible due to the increased exploitation in-the-wild (ITW) being observed.

Protection Against Exploitation

First and foremost, it is highly recommended that administrators follow all guidance from the vendor (Atlassian) and apply any and all patches as soon as possible if their deployed servers match the known affected versions. Please note that Confluence Cloud customers are not affected.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.

Preventative Rules, Filters & Detection

Trend Micro Cloud One - Workload Security and Deep Security IPS Rules

Rule 1005934 - Identified Suspicious Command Injection Attack

The following rule is a SMART rule that can be manually assigned to assist in protection/detection against suspicious Command Injection attacks which are said to be associated with this threat. Please note that the rule is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this.

Rule 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)

This rule is shipped in PREVENT mode by default and is included in the Recommendation Scan.

Trend Micro Cloud One - Network Security and TippingPoint Digital Vaccine

Filter 40260 - HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability

Trend Micro Deep Discovery Inspector

Rule 4623 - CVE-2021-26084_HTTP_CONFLUENCE_OGNL_RCE_EXPLOIT_REQUEST_SB

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Malicious file samples associated with known exploits of this vulnerability are detected as:

Filename	SHA1	VSAPI Detection	Predictive Learning	Pattern Number (VSAPI)
vmicguestvs.dll	08f22c5fc0046af092c04917dddab5c2dc758767	Trojan.Win64.TINYOMED.ZYII	Troj.Win32.TRX.XXPE50FFF047	16.945.00
x.bat	9de8031b1018f9648547cda6d125bac4a9fbf03c	Trojan.BAT.TINYOMED.ZYII		16.945.00
unisntall.bat	3a061abe6d7653f932096db6759f16a4d4a1b07c	Trojan.BAT.SVCLAUNCHER.ZYII		16.945.00
Jquery-3.3.1.min.js	d4efaf4e2d1dd23e40cb0a487a489c41364a4524	Trojan.Win32.COBALT.SME.hp		16.785.00(older detection)

In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):

URL	Category
hxxp://213[.]152[.]165[.]29/	C&C Server
hxxp://213[.]152[.]165[.]30/	C&C Server
hxxp://213[.]152[.]165[.]29/x[.]bat	C&C Server
hxxp://213[.]152[.]165[.]29/uninstall[.]bat	C&C Server
hxxp://213[.]152[.]165[.]29/vmicguestvs[.]dll	C&C Server
hxxp://213[.]152[.]165[.]30/vmicguestvs[.]dll	C&C Server

Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.

References

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: Mass Exploitation of Atlassian Confluence (CVE-2021-26084)

Protection Against Exploitation

Preventative Rules, Filters & Detection

References

SECURITY ALERT: Mass Exploitation of Atlassian Confluence (CVE-2021-26084)

Product / Version includes:

Summary

Protection Against Exploitation

Preventative Rules, Filters & Detection

References