Attack Chain

1. The attacker exploits a vulnerability in Atlassian Confluence via a Metasploit module (T1190).
2. A malicious Java plugin is uploaded to the Confluence server, typically through a web request.
3. The Confluence server executes the malicious plugin within the Java Runtime Environment (java.exe).
4. The plugin initiates a network connection to download Meterpreter.
5. Meterpreter is downloaded to a temporary directory, often within the AppData\\Local\\Temp path.
6. Meterpreter executes, establishing a reverse shell to the attacker’s command and control (C2) server.
7. The attacker gains full control over the Confluence server, enabling further exploitation activities.
8. The attacker may leverage this access for lateral movement, data exfiltration, or deploying ransomware.

Impact

Successful exploitation of Atlassian Confluence servers through malicious plugins can lead to complete system compromise. This can result in the loss of sensitive data, disruption of services, and potential lateral movement to other systems within the network. Due to the widespread use of Confluence in enterprise environments, a successful attack can impact numerous organizations.

Recommendation

• Deploy the Sigma rule Detect Metasploit Confluence Plugin Execution to detect malicious java plugin execution used by metasploit for Atlassian Confluence exploitation.
• Monitor process execution for java.exe spawning processes from temporary directories (AppData\\Local\\Temp) as a potential indicator of malicious plugin activity, which is covered in the Sigma rule Detect Metasploit Confluence Plugin Execution.
• Implement network monitoring to detect outbound connections from Confluence servers to unusual or suspicious IP addresses, potentially indicating Meterpreter C2 communication.
• Review and patch Atlassian Confluence instances for known vulnerabilities that may be exploited by Metasploit modules, referencing the analytic story Confluence Data Center and Confluence Server Vulnerabilities.