Deepwatch researchers discovered that an Atlassian Confluence server vulnerability, tracked as CVE-2022-26134, was "highly likely" to have been leveraged by the threat actor, tracked as TAC-040, to deploy the novel Ljl Backdoor in a week-long attack against an unnamed research and technical services organization in May, according to The Hacker News.
"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory. After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment," said Deepwatch.
Attackers may have also exploited the Spring4Shell flaw, tracked as CVE-2022-22965, to compromise Confluence, researchers added. Even though there has been no indication of the execution of an XMRig cryptominer loader deployed to the compromised system, TAC-040 was able to add at least 652 XMR, or $106,000, to its Monero address following cryptomining operations, while exfiltrating nearly 700MB of archived data prior to server takedown.