- I tested a Pixel Tablet without any Google apps, and it's more private than even my iPad
- My search for the best MacBook docking station is over. This one can power it all
- This $500 Motorola proves you don't need to spend more on flagship phones
- Finally, budget wireless earbuds that I wouldn't mind putting my AirPods away for
- I replaced my Linux system with this $200 Windows mini PC - and it left me impressed
Hackers Exploit Atlassian Confluence Vulnerability to Deploy New ‘Ljl’ Backdoor
Cybersecurity experts from Deepwatch spotted activity from threat actors (TA) that “highly likely” exploited a security flaw in the Atlassian Confluence server (CVE-2022-26134) to deploy a new backdoor dubbed “Ljl” against a number of unnamed organizations.
Deepwatch’s Adversary Tactics and Intelligence group (ATI) described the findings in an advisory published on Tuesday.
After gaining initial access, the TA, dubbed TAC-040, would have run various commands to enumerate the local system, network and Active Directory environment.
Additionally, Deepwatch said the TA likely used RAR and 7zip to archive files and folders from multiple directories, including registry hives.
According to network logs, TAC-040 exfiltrated a total of around 700 MBs of archived data before the victim took the server offline.
Before disconnecting, however, the TA would have dropped a never-before-seen backdoor, called “Ljl Backdoor” onto the compromised server.
“TAC-040 has the capability to create or access custom, never-before-seen malware,” the advisory reads.
In terms of the motifs behind the attacks, Deepwatch said they were likely espionage-related, but the company cannot completely rule out that they were financially motivated, since it said it also spotted a loader for an XMRig crypto miner on the system.
Targets of TAC-040 were organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as some that provide technical services.
For context, the Atlassian vulnerability suspected to have been exploited by TAC-040 is an Object-Graph Navigation Language (OGNL) injection bug that allows for arbitrary code execution on a Confluence Server or Data Center instance.
The issue was addressed by Atlassian in June, but this is not the first time since then that unpatched systems get exploited by hackers.
For instance, in July Microsoft’s Security Intelligence team said it spotted a campaign by TA 8220 targeting i686 and x86_64 Linux systems that used RCE exploits for CVE-2022-26134 and CVE-2019-2725 (Oracle WebLogic) for initial access.
