Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Mass Exploitation of Atlassian Confluence (CVE-2021-26084)

    • Updated:
    • 9 Sep 2021
    • Product/Version:
    • Platform:
Summary
Sept 8th Update:  New Deep Discovery Inspector (DDI) rule

On August 25, 2021, Atlassian released a security advisory and associated patches for several on-premise versions of its popular Confluence Server and Data Center products to address a Remote Code Execution (RCE) vulnerability (CVE-2021-26084).  This vulnerability is said to potentially allow unauthenticated attackers to remotely execute command on affected servers and is rated as CRITICAL (CVSSv3 9.8).

On September 3, 2021, the United States Cyber Command (USCYBERCOMM) issued a public alert recommending that administrators prioritize their efforts to patch their servers as soon as possible due to the increased exploitation in-the-wild (ITW) being observed.
 
Details
Public

Protection Against Exploitation

First and foremost, it is highly recommended that administrators follow all guidance from the vendor (Atlassian) and apply any and all patches as soon as possible if their deployed servers match the known affected versions.  Please note that Confluence Cloud customers are not affected.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
 

Preventative Rules, Filters & Detection

Trend Micro Cloud One - Workload Security and Deep Security IPS Rules
  • Rule 1005934 - Identified Suspicious Command Injection Attack
The following rule is a SMART rule that can be manually assigned to assist in protection/detection against suspicious Command Injection attacks which are said to be associated with this threat.  Please note that the rule is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this.
  • Rule 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
This rule is shipped in PREVENT mode by default and is included in the Recommendation Scan.


Trend Micro Cloud One - Network Security and TippingPoint Digital Vaccine
  • Filter 40260 - HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability

Trend Micro Deep Discovery Inspector
  • Rule 4623 - CVE-2021-26084_HTTP_CONFLUENCE_OGNL_RCE_EXPLOIT_REQUEST_SB

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Malicious file samples associated with known exploits of this vulnerability are detected as:
FilenameSHA1VSAPI DetectionPredictive LearningPattern Number (VSAPI)
vmicguestvs.dll08f22c5fc0046af092c04917dddab5c2dc758767Trojan.Win64.TINYOMED.ZYIITroj.Win32.TRX.XXPE50FFF04716.945.00
x.bat9de8031b1018f9648547cda6d125bac4a9fbf03cTrojan.BAT.TINYOMED.ZYII 16.945.00
unisntall.bat3a061abe6d7653f932096db6759f16a4d4a1b07cTrojan.BAT.SVCLAUNCHER.ZYII 16.945.00
Jquery-3.3.1.min.jsd4efaf4e2d1dd23e40cb0a487a489c41364a4524Trojan.Win32.COBALT.SME.hp 16.785.00(older detection)

In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):
URLCategory
hxxp://213[.]152[.]165[.]29/C&C Server
hxxp://213[.]152[.]165[.]30/C&C Server
hxxp://213[.]152[.]165[.]29/x[.]batC&C Server
hxxp://213[.]152[.]165[.]29/uninstall[.]batC&C Server
hxxp://213[.]152[.]165[.]29/vmicguestvs[.]dllC&C Server
hxxp://213[.]152[.]165[.]30/vmicguestvs[.]dllC&C Server


Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.
 

References

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000288772
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.