Full Report
On 2024-02-20, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, while using SSH propagation, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: SSH-Snake.
Analysis Summary
# Incident Report: Confluence Server Resource Hijacking via SSH-Snake Campaign
## Executive Summary
A campaign, observed publicly on February 20, 2024, leveraged a 1-day vulnerability on Confluence Servers for initial access. The threat actor utilized SSH propagation techniques, employing the tool **SSH-Snake**, to achieve resource hijacking. Remediation steps and lessons learned focus on timely patch management and hardening SSH access.
## Incident Details
- **Discovery Date:** February 20, 2024 (Date of public reporting)
- **Incident Date:** Unknown prior to February 20, 2024
- **Affected Organization:** Information not disclosed (Described as a general campaign targeting Confluence Server users)
- **Sector:** Not explicitly stated (Likely any sector running vulnerable Confluence Server deployments)
- **Geography:** Not specified
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, exploiting a 1-day vulnerability leading up to Feb 20, 2024.
- **Vector:** Exploitation of a recently disclosed **1-day vulnerability** in Confluence Server.
- **Details:** The attacker used the flaw to gain a foothold.
### Lateral Movement
- **Technique:** **SSH Propagation**. The attacker used compromised credentials or established SSH access to move laterally within the network or between different systems.
- **Tool Used:** **SSH-Snake** (observed tool, likely facilitating propagation/resource hijacking).
### Data Exfiltration/Impact
- **Impact:** **Resource Hijacking**. The primary goal was to gain unauthorized control or use of target system resources, rather than explicit data exfiltration (though data theft might have been a secondary goal).
### Detection & Response
- **Discovery:** Identified through threat intelligence reporting on the emerging campaign.
- **Response actions taken:** Not detailed in the source material, but involved recognizing the threat indicators associated with the SSH-Snake usage.
## Attack Methodology
- **Initial Access:** Exploitation of a **1-day vulnerability** in Confluence Server.
- **Persistence:** Not explicitly detailed, but likely involved creating new SSH keys or user accounts facilitated by SSH-Snake.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed, though leveraging SSH implies credential compromise or key deployment.
- **Discovery:** Not detailed.
- **Lateral Movement:** **SSH Propagation**.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed.
- **Impact:** **Resource Hijacking**.
## Impact Assessment
- **Financial:** Unknown.
- **Data Breach:** Unknown.
- **Operational:** Compromise of server resources, potential for use in larger botnets or cryptocurrency mining.
- **Reputational:** Potential damage if specific customer environments were publicly compromised.
## Indicators of Compromise
- **Network indicators:** Unknown/Not specified.
- **File indicators:** Presence of the **SSH-Snake** tool/scripts.
- **Behavioral indicators:** Unusual outbound network activity related to SSH connections (if used for command-and-control or lateral movement).
## Response Actions
*Based on standard best practices for this type of incident, as specific actions were not in the source:*
- **Containment measures:** Isolating impacted Confluence and related servers; revoking/disabling all compromised SSH keys/credentials.
- **Eradication steps:** Applying the vendor patch for the 1-day vulnerability; scanning systems for unauthorized SSH keys; removing the SSH-Snake deployment artifacts.
- **Recovery actions:** Restoring services from known-good backups if necessary; monitoring for recurrence.
## Lessons Learned
- **Key takeaways:** Unpatched, internet-facing applications (like Confluence Server) remain a primary initial access vector, even for zero-day or 1-day vulnerabilities.
- **What could have been done better:** Faster patching cadence—the vulnerability was exploited as a "1-day." Stronger controls around SSH access (e.g., disabling password authentication, restricting source IPs) could have hampered propagation.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately apply vendor patches for all critical, internet-facing software (Confluence, Jira, etc.) upon release.
2. Implement robust monitoring for new or unauthorized SSH key creation across the environment.
3. Restrict SSH access using strict IP whitelisting where possible.
4. Review and harden all default configurations related to SSH, especially on public-facing servers.