- What is AI networking? How it automates your infrastructure (but faces challenges)
- I traveled with a solar panel that's lighter than a MacBook, and it's my new backpack essential (and now get 23% off for Black Friday)
- Windows 11 24H2 hit by a brand new bug, but there's a workaround
- This Samsung OLED spoiled every other TV for me, and it's $1,400 off for Black Friday
- How to Protect Your Social Media Passwords with Multi-factor Verification | McAfee Blog
Hackers Exploit Atlassian Confluence Vulnerability to Deploy New ‘Ljl’ Backdoor
Cybersecurity experts from Deepwatch spotted activity from threat actors (TA) that “highly likely” exploited a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed “Ljl” against a number of unnamed organizations.
Deepwatch’s Adversary Tactics and Intelligence group (ATI) described the findings in an advisory published on Tuesday.
After gaining initial access, the TA, dubbed TAC-040, would have run various commands to enumerate the local system, network and Active Directory environment.
Additionally, Deepwatch said the TA likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives.
According to network logs, TAC-040 exfiltrated a total of around 700 MBs of archived data before the victim took the server offline.
Before disconnecting, however, the TA would have dropped a never-before-seen backdoor, called “Ljl Backdoor” onto the compromised server.
“TAC-040 has the capability to create or access custom, never-before-seen malware,” the advisory reads.
In terms of the motifs behind the attacks, Deepwatch said they were likely espionage-related, but the company cannot completely rule out that they were financially motivated, since it said it also spotted a loader for an XMRig crypto miner on the system.
Targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services.
For context, the Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance.
The issue was addressed by Atlassian in June, but this is not the first time since then that unpatched systems get exploited by hackers.
For instance, in July Microsoft’s Security Intelligence team said it spotted a campaign by TA 8220 targeting i686 and x86_64 Linux systems that used RCE exploits for CVE-2022-26134 and CVE-2019-2725 (Oracle WebLogic) for initial access.
