Remote Code Execution (RCE) describes the execution of arbitrary code on a computer system where the attacker does not have direct access to the console. By exploiting security holes, a hacker can remotely take full control of the system. This is the case with security gaps in Confluence and Azure.
For example, any user with access to an endpoint with a vulnerable software version can execute any command via an HTTP request without the need for an authorization header. The expected response to this request would be an "Unauthorized" 401 response page. However, the user can execute commands with “root” rights. These threats were already identified during the Equifax attack in 2017.
Two recently revealed vulnerabilities are the latest developments in this type of attack: the Atlassian Confluence OGNL injection vulnerability and a vulnerability affecting the Azure Open Management Infrastructure (OMI). Barracuda security researchers analyzed attacks that attempted to exploit these vulnerabilities over a period of 45 days in August and September 2021 and identified attack spikes that originated from more than 500 individual attacker IPs. These vulnerabilities, the latest attack patterns, and solutions that organizations can use to protect themselves against these types of attacks are discussed in more detail below.
Confluence and Azure vulnerabilities in detail
1. Atlassian Confluence OGNL injection vulnerability
The Atlassian Confluence OGNL Injection vulnerability was first released by Atlassian on August 25, 2021. Shortly thereafter, it was added to the National Vulnerability Database (CVE-2021-26084). This vulnerability allows threat actors to send a "POST" request using the Confluence template engine without an authorization header. This gives the threat actor “root” access to the system. The attackers can smuggle in Java code using the “queryString” and “linkCreation” parameters.
Atlassian has announced that "all versions of Confluence Server and Data Center prior to the fixed versions are affected by this vulnerability." The vulnerability skyrocketed and continued to grow as many Confluence users still have a vulnerable version of the software.
2. Security vulnerability in Azure Open Management Infrastructure (OMI)
Azure published CVE-2021-38647 on September 15, 2021. This vulnerability affects the Azure Open Management Infrastructure (OMI). Azure OMI is a software agent that is preinstalled unnoticed and used in cloud environments. This silent installation puts Azure customers at risk until they update their systems to the latest version of OMI.
Attackers target these systems by sending a specially crafted HTTPS message to one of the ports waiting for OMI traffic (ports 1270/5985/5986), giving the attacker initial access to the computer. The commands sent by the attacker are executed by the SCXcore service so that the attacker can exploit the vulnerabilities. The attacker could pass a command without an authorization header to the computer, which the OMI server classifies as trustworthy and grants the attacker "root" access to the system. Microsoft stated on its blog: "The ExecuteShellCommand RunAsProvider executes every UNIX / Linux command via the shell / bin / sh."
Attackers target precisely those vulnerabilities
When evaluating the data from Barracuda systems from mid-September, the security researchers from Barracuda found a sharp increase in the number of attackers who tried to exploit this security gap. After the initial spike on September 18, the number of attempted attacks decreased, but the spike continued and then balanced over time.
Barracuda's analysis of the attacks over the 45-day period in August and September identified 550 unique attacker IPs attempting to exploit the Atlassian Confluence vulnerability and 542 unique attacker IPs attempting to exploit the Azure OMI Exploit vulnerability. There were several attackers behind each IP, which means that the number of attacks was significantly higher than the number of IPs. The researchers uncovered this information using client fingerprinting and other techniques.
Analysis shows most of the attacker IPs
As can be seen from the heat map above, most of the attacker IPs are in the US, including Alaska. This could be due to the fact that most of the server farms are located in these regions. Attacks have also been sent from countries such as Russia, the United Kingdom, Poland and India. Attackers around the world are trying to exploit these vulnerabilities, and organizations need to be one step ahead to protect their web applications.
Businesses should protect web applications
With the increasing number of vulnerabilities in web applications, it is becoming more and more complex to arm yourself against attacks. However, there are now complete solutions that protect web applications from exploiting these vulnerabilities. WAF / WAF-as-a-Service solutions, also known as WAAP (Web Application and API Protection) services, can help protect web applications by providing all the latest security solutions in a single, easy-to-use product.
The need for a WAF-as-a-Service or WAAP solution has never been greater than it is today, as many employees work remotely and many applications are online. Organizations need to make sure they have a solution that includes bot mitigation, DDoS protection, and API security.
More at Barracuda.com
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.