Full Report
Researchers discovered a new attack exploiting the CVE-2023-22527. The attack uses an in-memory fileless backdoor, known as the Godzilla webshell. The Godzilla backdoor uses AES encryption for communication and remains in memory, making it difficult to identify. It is recommen...
Analysis Summary
# Vulnerability: Godzilla Backdoor Exploiting Confluence RCE (CVE-2023-22527)
## CVE Details
- CVE ID: CVE-2023-22527
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly mentioned, but related to Injection vulnerabilities (likely CWE-94: Improper Control of Generation of Code)
## Affected Systems
- Products: Atlassian Confluence Data Center and Server
- Versions: All vulnerable prior versions (Specific versions were not detailed in the provided context, only that the vulnerability exists in Confluence products).
- Configurations: Requires an unauthenticated attacker.
## Vulnerability Description
This critical vulnerability is a second-stage exploitation vector leveraging the initial compromise via **CVE-2023-22527**, which is described as a template injection vulnerability allowing Remote Code Execution (RCE). In this specific campaign, the attackers utilize the initial RCE exploit to load a malicious JavaScript code via OGNL objects within the compromised Atlassian server. This script then executes complex operations, including reading/manipulating parameters and injecting a custom valve into the Tomcat pipeline, leading to the deployment of the **Godzilla webshell** backdoor.
## Exploitation
- Status: Exploited in the wild (Observed campaign)
- Complexity: Low (Due to unauthenticated RCE as the path to initial compromise)
- Attack Vector: Network
## Impact
- Confidentiality: High (Due to established backdoor access)
- Integrity: High (Due to established backdoor access and potential system manipulation)
- Availability: High (Due to established backdoor access and potential system manipulation)
## Remediation
### Patches
- Specific patch versions were **not provided** in the source text. Users must consult Atlassian advisories for the official fix releases corresponding to CVE-2023-22527.
### Workarounds
- If indicators of compromise are identified, immediately **remove the files and redeploy workloads from a known clean state**.
## Detection
- Detection Focus: The **Godzilla webshell** is unique because it is an **in-memory fileless backdoor** that uses **AES encryption** for communication.
- Indicators of Compromise: Look for anomalies related to the loading of malicious JavaScript or unexpected objects/valves being injected into the Tomcat pipeline.
- Detection Methods and Tools: Traditional disk-based analysis may fail. Focus on memory forensics, network traffic analysis for encrypted beacons, and monitoring for unusual process activity originating from the Confluence application related to Java/Tomcat processes.
## References
- Vendor Advisories: Refer to Atlassian security advisories for CVE-2023-22527.
- Relevant Links:
- https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html