Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One

A more detailed explanation of this chain and the specific techniques observed in this campaign can be found in our tech brief.

We used Cloud One and Trend Micro Vision One to help analyze this campaign. We discuss our detections in the following section.

Trend Micro Cloud One

Intrusion Prevention System (IPS) detection

For the Muhstik bot campaign, rule 1011117 – Atlassian Confluence Server RCE vulnerability CVE-2021-26084 was triggered in the IPS. This is due to the detected incoming malicious behavior that seeks to exploit the said vulnerability.

Trend Micro Vision One 

Trend Micro Vision One Workbench

Through the Trend Micro Vision One Workbench, we were able to track and detect malicious behavior as seen in vulnerability exploitation, suspicious outbound connection, and the presence of .kswapd (detected by Trend Micro as Coinminer.Linux.MALXMR.SMDSL64) and pty86 (detected by Trend Micro as Backdoor.Linux.TSUNAMI.AMX).

Trend Micro Vision One Observed Attack Techniques (OAT) Triggers

Trend Micro Vision One OAT also showed the detected vulnerability exploitation, with the risk level marked as High.

Known for its comprehensive attack patterns and defense evasion schemes, the Kinsing malware is often wielded against misconfigured cloud-native environments. A misconfigured host or cluster could be exploited to run any container the attacker wants to deploy. This would cause outages on the target’s service. It can also be used to perform lateral movement to other services, compromising sensitive data.

The Oracle WebLogic Server Admin Console RCE vulnerability CVE-2020-14750, which was publicized in November 2020, is still highly exploited by malware campaigns like the Kinsing malware, as we confirmed from our honeypots and customer trigger data.

The Kinsing campaign involves disabling other malware and security solutions, cleaning logs, and creating commands before loading the main cryptominer payload. The network can get infected by connecting to each device laterally, so malware can be activated in all the machines connected to the targeted network.  

We took a deep dive into the Kinsing campaign techniques in our tech brief.

We used Cloud One and Trend Micro Vision One to help analyze this campaign.  We discuss our detections in the following section.

Trend Micro Cloud One

IPS detection

Through IPS, we were able to detect an incoming malicious behavior that exploits CVE-2020-14882. This was identified through rule 1010590 – Oracle WebLogic Server RCE vulnerabilities CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.

Antimalware Detections

We were then able to detect several malicious files: the master script (detected by Trend Micro as Trojan.SH.CVE20207961.SM), Kinsing (detected by Trend Micro as Coinminer.Linux.MALXMR.PUWEMA), and Kdevtmpfsi (detected by Trend Micro as Coinminer.Linux.MALXMR.SMDSL64).

Trend Micro Vision One 

Trend Micro Vision One Workbench

Through Trend Micro Vision One, we were able to track the activities related to the Kinsing campaign. This includes vulnerability exploitation, suspicious outbound traffic, bash shell script execution, and the presence of a malicious component (kdevtmpfsi).

Root Cause Analysis

The root cause analysis shows more insight into the behavior of the shell script, as well as how kdevtmpfsi emerged from Kinsing.

Trend Micro Vision One Observed Attack Techniques (OAT) Triggers

Trend Micro Vision One OAT shows the detection of the vulnerability exploitation. The risk level is marked as High.

Vulnerability exploits can heavily compromise user and enterprise systems. The following are some of the best practices to combat these threats.

It is highly recommended for administrators to apply all patches as soon as possible, especially if their deployed servers match the known affected versions. This recommendation is also a possible preventative measure. Both Atlassian  and Oracle WebLogic servers have released security guidelines for the vulnerabilities discussed here.

In addition to the vendor patches, security solutions can also help in further securing the system.

Trend Micro Vision One helps security teams have an overall view of attempts in ongoing campaigns by providing them a correlated view of multiple layers such as email, endpoints, email, endpoints, servers, and cloud workloads. Security teams can gain a broader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem benign when viewed from a single layer alone.

Trend Micro Cloud One – Workload Security helps defend systems against vulnerability exploits, malware, and unauthorized change.  It can protect a variety of environments such as virtual, physical, cloud, and containers. Using advanced techniques like machine learning (ML) and virtual patching, the solution can automatically secure new and existing workloads both against known and new threats.

Trend Micro™ Deep Security™ ensures malware prevention and network security and system security. Combined with Vulnerability Protection, it defends user systems from threats that target vulnerabilities. Both solutions protect users from exploits that target CVE-2021-26084 via the following rules:

  • 1011117 – Atlassian Confluence Server RCE vulnerability CVE-2021-26084

This rule is shipped in prevent mode by default and is included in the recommendation scan

  • 1005934 – Identified Suspicious Command Injection Attack

These solutions also protect users from exploits that target CVE-2020-14750, CVE-2020-14882, and CVE-2020-14883 through the following rules:

  • 1010590 – Oracle WebLogic Server RCE vulnerabilities CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883

This rule is shipped in prevent mode by default and is included in the recommendation scan.

  • 1004090 – Identified Directory Traversal Sequence In Uri

IPs

hxxp://188[.]166[.]137[.]241/wp-content/themes/twentyseventeen/dk86

hxxp://153[.]121[.]58[.]102:80/wp-content/themes/zuki/m8

hxxp://3[.]10.224[.]87/[.]a/dk86

IPs

hxxp://194[.]38[.]20[.]199/wb.sh

hxxp://194[.]38[.]20[.]199/kinsing

Read More HERE