"Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor"
Cybersecurity experts at Deepwatch spotted activity from threat actors that "highly likely" exploited a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed "Ljl" against several unnamed organizations. The researchers stated that after gaining initial access, the threat actors, dubbed TAC-040, would have run various commands to enumerate the local system, network, and Active Directory environment. The researchers also stated that the threat actors likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives. According to network logs, the threat actors exfiltrated a total of around 700 MBs of archived data before the victim took the server offline. Before disconnecting, however, the threat actor would have dropped a never-before-seen backdoor called "Ljl Backdoor" onto the compromised server. The researchers stated that the threat actors have the capability to create or access custom, never-before-seen malware. In terms of motives behind the attack, the researchers indicated that they were likely espionage-related, but they cannot completely rule out that they were financially motivated since they also spotted a loader for an XMRig crypto miner on the system. The researchers noted that targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services. The Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance. Atlassian addressed the vulnerability in June, but this is not the first time since then that unpatched systems get exploited by hackers.