Official Incident Report - Case 1 - SOC235 - Atlassian Confluence Broken Access Control 0-Day CVE-2023-2251

                                                         Case 101



The CVE-2023–22515 affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized. The vulnerability is categorized as a Broken Access Control issue.

      CVE-2023–22515 we need to take ownership of the Alert.




              STEP 1 - DETECTION - Playbook



 

Collecting Alert Data                


 

 

In every alert, there are specific information that we need to gather in order to understand with what       we are dealing with and find a corresponding solution.



1. File name.

2. Source IP

3. Dest IP

4. Malicious File (Hash or URL)

5. Alert Triger Reason

6. Hostname

7. Requested URL







                                               

                                           
                                      Threat Intelligence









The first action for me is to use threat intelligence and find more about the address.I searched the Ip address in VirusTotal and AbuseIPDB and found that the IP is malicious.(Using different TI tools -VirusTotal, AbuseIPDB or Talos can be very useful to find the history of the IP)

   

 

   Then I did proceed and checked in Log Management, Threat intel displays and I found following logs:

             

 

            
(If you are on Log managment in the Pro always go by search IP Host source and Dest Source)


    After collecting these logs, we can proceed with the playbook.


 

                                                      







                                           

                                             

                             Step 2 - Analysis

According to the results we got from Virustotal and Threat intel logs, we  can say that the traffic is malicious.

  


And we should choose “Other”, because the type of attack we are investigating does not belong to any of the above.







There are specific authorized attack that can occur in a System called Penetration Testing, any case in LetsDefend could be one, to make sure it isn't we check the Email for a possible notice, in this specific case there was none. So it was not planned.

The alert’s 43.130.1.222 source address belongs to the external company network. But 172.16.17.234 is the internal destination address (belongs to the Confluence Data Center v8.0.3 ). This denotes a direction flow on the Internet → Company Network.

The attack was successful because we saw that the Response code in the is 200 OK Log Management tab. We also noticed at the first alert page that  Device Action was allowed.

  



                                                 3.Containment

  

As shown above, the device must be isolated in order to restrict the attacker and securing internal network and therefore we contain the relevant device.





At this section we need to put as many information that we gathered like the Dest IP, Src IP, Requested url or in other cases any hash file.This is also valuable so SOC tier 2 will have as many information about the incident when it is escalated to tier 2.

Since the attack is successful, Tier 2 Escalation is necessary for a more experienced analyst.

                                           Alert Result