Hello and welcome to the Tuesday, January 30th, 2020,

for edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I noticed in our first scene URL list that we had a new variant for a little bit older confluence

vulnerability. This vulnerability in Adelaideon's confluence was patched back in October, has

been exploited since then, but there's sort of a small little add-on to the exploit script.

So first of all, the exploit sort of usually comes in three requests in this case.

The first requests sets the setup complete flag for Confluence to false.

What this means is, well, Confluence thinks it's no longer properly configured, so it will now,

when you hit Confluence, offer you to add an admin user.

The second request will then set up that new admin user, and the third request will turn Confluence back

into its normal setup complete mode, so that way other users will not be presented with

the page that allows them to set up an admin user. The end effect is that you have a new admin

user added to the Confluence instance, and yes,

turning the setup complete on and off does not require authentication, which is sort of the

real flaw here that was patched by Adelaide.

So what we're seeing now is a slightly improved attack against this vulnerability.

It adds sort of a somewhat random-looking string to the end of the URL.

I don't find any special meaning in it.

It looks basic for encoded, but it looks like random data starts with the word cache,

followed by the random data.

I obviously see the same random data from this one particular attacker.

...