CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

 1title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
 2id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
 3related:
 4    - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
 5      type: similar
 6status: experimental
 7description: |
 8        Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 9references:
10    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
11    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
12    - https://github.com/ForceFledgling/CVE-2023-22518
13author: Andreas Braathen (mnemonic.io)
14date: 2023/11/14
15tags:
16    - detection.emerging_threats
17    - attack.initial_access
18    - attack.t1190
19    - cve.2023.22518
20logsource:
21    category: proxy
22detection:
23    selection_method:
24        cs-method: 'POST'
25    selection_uris:
26        cs-uri|contains:
27          # Exploitable endpoints
28            - '/json/setup-restore-local.action'
29            - '/json/setup-restore-progress.action'
30            - '/json/setup-restore.action'
31            - '/server-info.action'
32            - '/setup/setupadministrator.action'
33    selection_status:
34        # Response code may be indicative of exploitation success, but is not always the case
35        sc-status:
36            - 200
37            - 302
38            - 405
39    condition: all of selection_*
40falsepositives:
41    - Vulnerability scanners
42level: medium

References

• CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support | Atlassian Documentation

  Summary of Vulnerability 06 Nov 2023  As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We ...

  
  Read More

• Confluence to Cerber: Exploitation of ​​CVE-2023-22518 for Ransomware Deployment

  

  CVE-2023-22518 is being exploited in Confluence for Cerber ransomware deployment. Read up on Huntress’ observations and mitigation guidance.

  
  Read More

• GitHub - ForceFledgling/CVE-2023-22518: Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥

  

  Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥 - ForceFledgling/CVE-2023-22518

  
  Read More

Related rules

• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
• Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
• Potential Information Disclosure CVE-2023-43261 Exploitation - Web