More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence
2024-10-29 13:0:0 Author: securityboulevard.com(查看原文) 阅读量:2 收藏

By Josh Varden and Cobi Aloia, Cofense Phishing Defense Center

Recently, the Cofense Phishing Defense Center (PDC) has seen an increase in malicious emails utilizing legitimate third-party business software to evade detection while maintaining a high level of deception. In this instance, the collaboration and project management platform Atlassian is being used to host malicious content via their domain, in a technique often referred to as domain or platform abuse. In this blog, we will discuss the ins and outs of how threat actors lure victims into using these techniques and aim to steal their credentials to access critical employee information and business infrastructure. 

Recent Data from the PDC has shown multiple examples of threat actors using trusted company domains to hide malicious content within forms, pages, URLs, etc. Some of these include Canva, SharePoint, and DocuSign. Atlassian’s software, Confluence, is being abused by threat actors to leverage a false sense of security by using the company’s reputable presence as a trusted domain within the corporate space.  

VirtualPicture1.png

Figure 1: Email Body

AWS

AWS Hub

The body of the email remains cut and dry, asking the recipient to review an attached document emailed on a specific date. Attached is a Microsoft Excel document claiming to be from a potential business partner. This directly relates to the subject of the email citing a proposal, making it seem more likely that this is a legitimate attachment. Other notable items in the body of the email include social media URLs that lead to the potential partner’s Facebook page, Instagram, LinkedIn, and X profiles. These links, as well as the aforementioned branding of the email, help enforce a deceptive narrative that this email is from a real prospect and thus, trustworthy. 

The email uses social engineering tactics to urge the recipient to click on the attachment in the message by asking them to “Please see attached.” There is a slight sense of urgency to the email by using the acronym “FYI” (for your information) in large, capitalized text. By also giving a date in the text body, it forces the user to decide whether to click on the included attachment or potentially frustrate a customer or vendor by not responding promptly. 

VirtualPicture1.png

Figure2: Attachment

The attachment for this email is an Excel file (.xls) that, upon opening, would present the user with a DocuSign branded image, displaying “You’ve received a document, review and sign.” Below the image is a hyperlink that reads, “REVIEW NEW DOCUMENT.” By clicking the hyperlink, the user is redirected to the Atlassian domain, where the threat actor leverages the Atlassian product Confluence – a wiki designed for corporations.

VirtualPicture1.png

Figure 3: Phishing Page

Above in Figure 3 is the Confluence redirect page that the user is redirected to through the initial email’s Excel file.  Exploiting the Atlassian domain, the threat actor is attempting to bypass SEGs (secure email gateways) or other email security measures that could block incoming threats. In this instance, and in many others, this tactic of using trusted domains to host malicious content was able to bypass the SEG and make it into the recipient’s inbox. The bulk of the page includes a large title saying “New Bid Proposal Form” with a small description in all caps text underneath. Beneath this description is a hyperlink that reads “CLICK HERE TO ACCESS THE DOCUMENT,” containing the final redirect to the malicious phishing page. By clicking this hyperlink, the recipient is led to the page in the figure below. 

VirtualPicture1.png

Figure 4: Phishing Page

The user is redirected a final time to the actual phishing page boasting the well-known and ever-prevalent Microsoft branded sign-in form. The URL for this page uses the subdomain “office.atfxt.com” to further reinforce the deceptive idea that this is a legitimate Microsoft login. Once the user inputs their credentials into the sign-in form, their username and password will be exfiltrated via a POST request to the host domain “atfxt.com,” where the threat actor can view and use them to further exploit or compromise the user’s data and company infrastructure. Some examples of attacks that can be used with an employee’s compromised credentials include but are not limited to: Spear Phishing, Business Email Compromises, Account Takeover, Privilege Escalation, Malware Deployment, and Lateral Movement. These attacks can result in widespread compromise of company data as well as loss of assets and even risks compromising the third-party companies or vendors that may associate with the employee or their employer. Mitigating these attacks is crucial to enterprise security, as phishing emails are generally the first step within major attacks and account for 91% of data breaches within organizations (Deloitte). 

Phishing attacks such as these utilize known trusted domains and deception to reach a targeted recipient. Taking control of a commonly known domain allowed threat actors to evade SEGs and other security measures, relying on an unsuspecting recipient trusting what should be a known URL vector. Cofense Managed Phishing Detection and Response, alongside our Phishing Defense Center (PDC), was able to identify and analyze this tactic, while SEGs and other security measures were bypassed. Reach out to our team of experts to learn more.

Indicators of Compromise

IP  

File Name: Kilgore Industries.xlsx
MD5: 93051b8aaaf1729aa5cc127dab6e619b
SHA256: 08c9749c23090a42c9e8f9a3151b49ce6b372024c6b447e8f8b465b44035d754
File Size: 47,961 bytes

hXXps://kilgoreind[.]atlassian[.]net/wiki/external/ZTRhODM1N2U5Mzk5NGJmY2FmZWQ4NjI3YTVhNzhhYzA

104.192.142.19
104.192.142.18
104.192.142.20

hXXps://office[.]atfxt[.]com/common/oauth2/v2[.]0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=hXXps%3A%2F%2Fwww[.]office[.]com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20hXXps%3A%2F%2Fwww[.]office[.]com%2Fv2%2FOfficeHome[.]All&response_mode=form_post&nonce=638630591533111152[.]Yjc0ZWIxOGUtMzZlMS00ZjYxLWE5NzMtOGRhZjI5MmFkNjk5YzljZDBhNDEtMTQzNi00ZWU1LWE3MGUtMzViOWE3M2U3MGFm&ui_locales=en-US&mkt=en-US&client-request-id=2520dd33-9c6a-4ab9-b7db-54edf4ce3dad&state=CxgsacqzGvRaN8zwAstYXgKUFjO8Vq97-Vl8Iy7bhYl_k0kCjRhhf_LJLPpO-z9e3mIVZGCegO00zMWHxSDb121MuJ7YZx7E6-q4Uf0moWf6cwa93wreEdtU6R939FyHB2C6GhtUHYC2JHPgu8-Wdu06tHTfjdT8G5–nEXQ68WEe5CxVQJOGC0y9PjToPNrNnXboTYF4vePQt2CYVywNPq2fv4iDbMzXsX1EKxBUdlDGBlUu6rviZA5hXZd1a6aAjYf-_7zAsm9tLxewstdZw&x-client-SKU=ID_NET8_0&x-client-ver=7[.]5[.]1[.]0

82.180.130.33

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

*** This is a Security Bloggers Network syndicated blog from Cofense Website authored by Cofense Website. Read the original post at: https://cofense.com/feed/blog/more-than-just-a-corporate-wiki-how-threat-actors-are-exploiting-confluence


文章来源: https://securityboulevard.com/2024/10/more-than-just-a-corporate-wiki-how-threat-actors-are-exploiting-confluence/
如有侵权请联系:admin#unsafe.sh