A new and sophisticated cyber threat has emerged with the Godzilla fileless backdoor exploiting the critical CVE-2023-22527 vulnerability in Atlassian Confluence. This vulnerability, which affects the Confluence Data Center and Server products, is classified as high-severity with a CVSS score of 10. It allows unauthenticated attackers to execute arbitrary code on affected instances through a template injection flaw. Despite the vulnerability being disclosed and patched in January 2024, it remains a significant target for cybercriminals.
The Godzilla backdoor, developed by the pseudonymous user “BeichenDream,” is designed to evade traditional detection mechanisms by operating filelessly. It utilizes Advanced Encryption Standard (AES) encryption to secure its network traffic, making it particularly challenging for legacy antivirus solutions to detect. By avoiding the creation of detectable files, Godzilla effectively circumvents conventional security measures, which often rely on file-based detection.
The exploitation process begins when attackers use CVE-2023-22527 to execute a malicious payload on the Confluence server. This payload involves complex JavaScript code execution, Base64 encoding, and dynamic class loading. The Godzilla backdoor leverages Java Reflection to manipulate server components and inject a custom valve into the Tomcat pipeline, granting unauthorized access. This intricate exploitation process underscores the advanced capabilities of the malware and its ability to operate stealthily.
To mitigate the risks associated with this vulnerability, organizations using Atlassian Confluence are strongly advised to implement the latest security patches. Additionally, security teams should adopt behavior-based detection methods to better identify fileless malware like Godzilla. Given the evolving nature of cyber threats, it is crucial for businesses to remain vigilant, conduct regular security audits, and have a robust incident response plan to safeguard their digital assets against sophisticated attacks.
Reference:
