Remediating Atlassian Confluence servers fails to thwart Effluence backdoor

Atlassian Confluence Data Center and Server instances infected with the Effluence backdoor through the exploitation of the critical vulnerability, tracked as CVE-2023-22515, remained compromised even after the application of issued patches, reports The Hacker News. Exploitation of the security flaw allowed attackers to deploy a new web shell consisting of a loader and the Effluence payload that enabled persistent remote access to all server-based web pages even without a valid user account, according to a report from Aon's Stroz Friedberg Incident Response Services. Aside from creating a new admin account, threat actors also performed arbitrary command execution, file enumeration and deletion, and Atlassian environment data gathering activities, as well as the concealment of malicious activity through log deletion. "[Effluence] provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence," said the report.