Context Background
Atlassian has published a security advisory CVE-2022-26134 on June 2, for its Confluence Server and Data Center, regarding zero-day vulnerability. Several customer environments were being compromised with the unauthenticated activity and for which patches were released on June 3 as part of a makeshift solution.
Such a Java vulnerability causes a volatile situation during which a server comes under direct attack. With this exposure, organizations experience data infiltration and other security issues through remote code execution (RCE) resulting in an unauthorized exploitation.
The Impact
If left ignored or unnoticed, the threat actor might make use of the RCE to forcefully induce malware or ransomware to lock or steal data. The impact varies in magnitude and affects at various levels in an organization.
- Server Level – At the server level, this vulnerability creates a devastating effect by completely manipulating the server configurations and settings.
- Domain Level – The infrastructure will be exposed to attacks, eventually resulting in the complete takeover of the customer’s domain.
By injecting Object-Graph Navigation Language (OGNL) into a customer’s development framework, an arbitrary code would be executed making the entire system highly exposed to attacks.
A Constructive Approach for Risk Mitigation & Threat Analysis
CVE-2022-26134, the critical RCE vulnerability, affects all the supported versions of Atlassian Confluence Server and Data Center. In the event, the above patches could not be applied, it is advisable to limit or disable access to the instances.
System-41, a product of Loginsoft, offers Threat Hunting and Detection Rules in “Sigma” (a generic and open signature format) and which later can be converted to any SIEM. The analytics developed will also be validated and the logs used for validation will be preserved for reference. These curated rules will make it easy to analyze various logs as part of identifying a suspicious action or threat across Windows and Linux Operating Systems.
Now, let us try to answer these questions:
- What does the System-41 rule detect in CVE-2022-26134?
- Which logs to look for based on the operating system or server?
What Is detected?
System-41 rule detects suspicious activities, real threats, and any vulnerabilities that hamper proper functioning of your business at server level, network level or OS level.
How is it detected?
Different types of logs are examined during the process of threat identification. These logs differ from one another based on the OS or server.
For instance, the below System-41 rule is written for webserver to observe logs and identify possible threats.
• System-41 rule for webserver
In the above rule, the logs to be analyzed are detailed from Line 18 to 21. Any unusual activity detected in the Confluence server based on the examination of these logs would be reported. Alternatively, the detection would take place only if the URI contains any of the parameters defined from Line 18 to 21.
Similarly, there are System-41 rules for Windows and Linux as detailed below.
• System-41 rule for Windows
In the above rule, the elements of the map are linked with the logical AND. Next, the image of the process would be matched with that of the parent image. The detection takes place when a log contains the specified image paths.
• System-41 rule for Linux
The rule above helps in detecting suspicious process activities in Linux if any of the logs contain requests like ‘curl’ and ‘wget’ in the command line.
Conversion of System-41 rule to SIEM query
Converting the System-41 rule to any SIEM query, it is necessary to include certain parameters like:
- the target SIEM
- a configuration file
- the path
With the inclusion of the above parameters, the command line appears as depicted below.
./sigmac –t <target> -c <path to the configuration file> <path to the rule>
Conclusion
Loginsoft’s team has conducted a detailed research to evolve at solutions that will help in protecting data, be it, on Windows or Linux. System-41 is a threat detection platform from Loginsoft aimed to keep data safe and mitigate risk.
About System-41:
- A threat analytics tool to detect emerging threats, exploits in Wild, latest adversary techniques & malware.
- All the analytics developed will also be validated and the logs used for validation will be preserved for reference.
- The analytics will be developed in “Sigma” (a generic and open signature format) and can be converted to any SIEM queries later.
- With System-41, an enterprise can quickly find the detection of adversary behavior and stream the rules into their workflow.
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
