Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One

Trend Micro -

A more detailed explanation of this chain and the specific techniques observed in this campaign can be found in our tech brief.

We used Cloud One and Trend Micro Vision One to help analyze this campaign. We discuss our detections in the following section.

Trend Micro Cloud One

Intrusion Prevention System (IPS) detection

For the Muhstik bot campaign, rule 1011117 – Atlassian Confluence Server RCE vulnerability CVE-2021-26084 was triggered in the IPS. This is due to the detected incoming malicious behavior that seeks to exploit the said vulnerability.

Trend Micro Vision One 

Trend Micro Vision One Workbench

Through the Trend Micro Vision One Workbench, we were able to track and detect malicious behavior as seen in vulnerability exploitation, suspicious outbound connection, and the presence of .kswapd (detected by Trend Micro as Coinminer.Linux.MALXMR.SMDSL64) and pty86 (detected by Trend Micro as Backdoor.Linux.TSUNAMI.AMX).

Trend Micro Vision One Observed Attack Techniques (OAT) Triggers

Trend Micro Vision One OAT also showed the detected vulnerability exploitation, with the risk level marked as High.

Known for its comprehensive attack patterns and defense evasion schemes, the Kinsing malware is often wielded against misconfigured cloud-native environments. A misconfigured host

Read More: