The Sliding Scale of Threat Actor Sophistication When Reacting to 0-day Vulnerabilities
Threat Telemetry Analysis for the Disclosure of CVE-2022-26134
Team Cymru’s S2 Research Team has highlighted why it is important for cyber defenders to address the critical window between 0-day discovery and the subsequent release of security patches. While malicious activity surges after the release of a POC, the most advanced and skilled threat actors are likely able to develop their own exploits and begin exploitation attempts soon after learning of a new vulnerability. The need to improve awareness of external digital assets and vulnerability management is driven by just how agile and fast sophisticated threat actor groups can be when news of unpatched exploits reaches them. This research not only provides insights on a recent 0-day example, but shows that if organizations do not have control over their attackable surface, they are more susceptible to breach than those organizations taking proactive measures.
On 2 June 2022, Volexity published research following an incident response investigation conducted over the Memorial Day weekend (28 – 30 May 2022). During their investigation, the Volexity team uncovered a Confluence 0-day, now tracked as CVE-2022-26134, being exploited by what they believed to be Chinese state-linked threat actors.
Having identified the initial infection vector was a remote code execution (RCE) exploit, Volexity analysts were able to recreate and identify the 0-day vulnerability, which at the time of their reporting, affected all versions of Atlassian Confluence Server. After successful exploitation, further malicious activity included the use of the open source Behinder web server implant, the China Chopper webshell, and a custom file-upload shell.
Volexity provided 15 IP addresses which were used by the threat actors to interact with webshells on victim hosts; the initial purpose of this blog post is to provide further insight into these IPs.
Of the 15 IP IOCs, 11 were identified as VPN nodes, primarily associated with the Private Internet Access (PIA) and Surfshark services.
Caveat: Due to the occurrence of unrelated / benign activities, data derived from VPN nodes must be treated with a degree of caution when it comes to attribution. In an effort to increase confidence in our findings, we focused on scenarios where multiple IP IOCs were observed in communication with a potential victim host.
Throughout this analysis, we chose to concentrate on communications involving port 8090, the default for Confluence Server instances, which was observed in the public ‘proof of concept’ exploit code.
Examining threat telemetry for the 15 IP IOCs, we were able to identify with high confidence, nine organizations which were targeted on or around 26 May 2022. This activity was specifically associated with three of the IPs (18.104.22.168, 22.214.171.124, and 126.96.36.199), all of which were PIA VPN nodes.
The identified target organizations were spread across multiple sectors and regions, indicative of the threat actors moving to an opportunistic phase, potentially associated with more than one group. Given previous timelines for the exploitation of 0-day vulnerabilities, it is likely that the initial targeting and compromises occurred weeks or months prior to the elevated levels of activity observed at the end of May 2022.
The targeted organizations included several government departments, as well as private companies in the digital, higher education, information technology, and logistics and supply chain sectors. Victims were observed in Asia, Europe, and both North and South America.
In addition to the high confidence targets, seven medium/low confidence targets were identified where a specific organization could not be linked to the IP addresses observed. This was due to a lack of contextual information for these IPs, for example Passive DNS data.
With a set of potential victim organizations established, pivoting on a sample of the targeted IP addresses provides us with the opportunity to uncover additional malicious activities, knowing that these IPs host vulnerable Confluence servers.
When examining threat telemetry from the beginning of June 2022 onwards, it was noted that approximately half of the IP addresses ‘targeted’ by the threat actors described by Volexity were not observed in any additional communications over port 8090.
Visualizing the resulting data based on daily counts shows there is a clear spike in activity on 3 June 2022, which then mostly tapers off and stabilizes by 11 June 2022. While not all of this traffic is due to malicious activity, the first three days of June saw above average data volumes which coincides with the public disclosure of CVE-2022-26134.
From this data there were 11 IP addresses (listed in the IOC section below) which stood out due to their numerous and broad range of potential targets. Pivoting on these IPs, we found that most of them had a history of exploiting/scanning for numerous vulnerabilities on a massive scale. We also found that six of these IPs were managed by the same threat actor and often used together in various campaigns related to vulnerability exploitation. Within the last 30 days some of the vulnerabilities that we observed targeted included CVE-2021-3129, CVE-2022-22947, CVE-2021-34535, and CVE-2021-41773. We also saw exploits for CVEs from as far back as 2013, another reminder that there is no cut-off point for the exploitation of vulnerable machines.
As shown in the chart below, this group of malicious IPs were most active on 2 June 2022. The results are slightly different from the previous dataset but share a common theme of an initial flood of activity around the time of disclosure, lasting approximately three days before levelling out.
Up to this point, our research has been limited to a small and specific sample of targeted IPs, and from the previous line graphs it would be easy to assume that interest was limited to the first three days of June 2022. In order to obtain a larger dataset (to improve the accuracy of threat telemetry sampling), we used Shodan to identify IP addresses that were shown as potentially vulnerable to the 0-day. As previously, we focused on telemetry for port 8090 from the beginning of June 2022 onwards.
With a broader sampling of data, we observed that the peak in activity post-disclosure happened on 6 June 2022, later than the previous datasets (and more in line with general information security community observations). Additionally, it appeared that data volumes did not tail-off in the same way, with elevated levels of activity continuing from the initial peak.
One hypothesis could be that the threat actors responsible for the activities observed in our initial limited sample were more skilled and therefore possessed a quicker reaction time to the announcement of a ‘new’ vulnerability. Conversely, in our larger sample, we potentially observed lesser skilled threat actors (feeding frenzy) utilizing the publicly disseminated proof-of-concept (POC) exploit code which emerged in the days after the initial disclosure.
Temporary mitigations should be explored to limit successful early exploitation by higher skilled threat actors, while awaiting the publication of a POC and for patch cycles to catch up.
While traditional incident response would place this issue in the remediation phase based on their own detections and context of the threat, note that malicious behavior experienced by one organization is not indicative of the threat landscape and risk of exploitation.
Consider reviewing your existing, or deploying a new, Attack Surface Management Platform. The goal is to gain full visibility of security weaknesses across your external digital assets. Use Cases are highlighted here.
Assess how your team currently becomes aware of new and emerging exploits and vulnerabilities. Explore methods that could bring critical information to their attention sooner and give you and your team an advantage.