A new stealth backdoor into vulnerable Confluence persists after patching

published: Nov. 14, 2023

Take action: Even if you have patched your Confluence server, engage a good team to review the plugins in your server and monitor for external comms to detect a potential webshell. Or just re-install from scratch, it's been too long if you are patching now.

Learn More

A new backdoor named "Effluence" targets Atlassian Confluence servers that are vulnerable to the CVE-2023-22518 vulnerability enabling cyber attackers to maintain remote control over infected servers and their network connections. Discovered by researching compromised Confluence servers, Effluence is notable for its ability to continue functioning even once the system is patched.

Unvortunately, Effluence's stealthy nature allows it to evade detection and remain operational post-patch application. Unlike standard web shells that infiltrate through Confluence's plugin system, this webshell is installed directly into the Apache Tomcat server. This installation method gives the backdoor broad access across the Confluence platform, without requiring authenticated access.

Effluence has a broad command execution range: creating admin accounts, modifying files, adding plugins, altering passwords, and logging credentials.

The removal of Effluence is complex, often necessitating a hands-on review by security teams. To identify Effluence, defenders should scrutinize plugins, especially .jar files in specific directories related to Confluence and other Atlassian applications. Despite this, Effluence leaves no traditional digital traces (IOCs), making detection more difficult. Unusual activity in static confluence pages and discrepancies in response sizes may be the only hints of its presence.

A new stealth backdoor into vulnerable Confluence persists after patching