Researchers discovered a new attack exploiting the CVE-2023-22527. The attack uses an in-memory fileless backdoor, known as the Godzilla webshell. The Godzilla backdoor uses AES encryption for communication and remains in memory, making it difficult to identify. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
This critical vulnerability, with a CVSS score of 10, allows unauthenticated attackers to perform remote code execution (RCE) on vulnerable Confluence Data Center and Server products through a template injection vulnerability. The Godzilla webshell, used in this attack, operates entirely in memory, making it difficult for traditional detection methods that rely on disk-based analysis. The backdoor employs AES encryption for secure communication, further complicating detection efforts. The attack chain begins with the exploitation of CVE-2023-22527, where the attackers use OGNL objects within the compromised Atlassian server to load a malicious JavaScript code. This code is then used to execute a series of complex operations, including reading and manipulating parameters and injecting a custom valve into the Tomcat pipeline, effectively providing unauthorized access.