Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro Incorporated
  6. News
  7. Summary
    4704   JP3637300009


SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro Incorporated : Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One

10/18/2021 | 08:12am EST

Vulnerabilities serve as entry points for threats, and even relatively new ones have swarms of exploit campaigns that target them. In this research, we look into how malware campaigns target server vulnerabilities. In particular, we look into the Atlassian Confluence Server Webwork Object-Graph Navigation Language (OGNL) injection vulnerability, CVE-2021-26084, and three Oracle WebLogic Server vulnerabilities, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883. We also include recommendations on how security teams can safeguard their workloads.

To observe the following campaigns, we used detection data and set up honeypots, which we managed with Trend Micro Cloud One™ - Workload Security and Trend Micro Vision One™. With the help of these solutions, we were able to investigate attacks launched by adversaries as well as attempt some attack scenarios ourselves.

This entry shows Trend Micro Cloud One™ and Trend Micro Vision One at work in detecting and tracking these vulnerability exploits. The in-depth analysis of the campaign techniques observed in our research can be found in our technical brief.

Muhstik Campaign

Almost immediately after Atlassian released the patch for CVE-2021-26048, we saw many different types of attack campaigns seeking to exploit this vulnerability, most of which are cryptomining campaigns.

One notable attack traffic that we have seen so far on CVE-2021-26048 was by the Muhstik botnet campaign, which mostly has the purpose of cryptomining as well. Muhstik targeted vulnerable internet of things (IoT) devices, such as routers, to grow its malicious network and perform other tasks, such as mining for cryptocurrency or launching distributed denial-of-service (DDoS) attacks.

The operators behind Muhstik target vulnerabilities in public-facing web applications to increase the botnet's reach. Attackers behind the botnet fund their operation by mining cryptocurrency with the help of such tools as XMRig and cgmining, and also by providing DDoS-for-hire services.

Figure 1. Muhstik botnet campaign infection chain

A more detailed explanation of this chain and the specific techniques observed in this campaign can be found in our tech brief.

We used Cloud One and Trend Micro Vision One to help analyze this campaign. We discuss our detections in the following section.

Trend Micro Cloud One

Intrusion Prevention System (IPS) detection

For the Muhstik bot campaign, rule 1011117 - Atlassian Confluence Server RCE vulnerability CVE-2021-26084 was triggered in the IPS. This is due to the detected incoming malicious behavior that seeks to exploit the said vulnerability.

Figure 2. IPS detection for CVE-2021-26084 exploitation
Figure 3. Dk86 Tsunami backdoor detection
Figure 4. Stager trojan script detection
Figure 5. .kswapd script detection
Trend Micro Vision One

Trend Micro Vision One Workbench

Through the Trend Micro Vision One Workbench, we were able to track and detect malicious behavior as seen in vulnerability exploitation, suspicious outbound connection, and the presence of .kswapd (detected by Trend Micro as Coinminer.Linux.MALXMR.SMDSL64) and pty86 (detected by Trend Micro as Backdoor.Linux.TSUNAMI.AMX).

Figure 6. Malicious outbound traffic detection
Figure 7. .kswapd detection
Figure 8. pty86 detection

Trend Micro Vision One Observed Attack Techniques (OAT) Triggers

Trend Micro Vision One OAT also showed the detected vulnerability exploitation, with the risk level marked as High.

Figure 9. Exploit detection
Kinsing Campaign

Known for its comprehensive attack patterns and defense evasion schemes, the Kinsing malware is often wielded against misconfigured cloud-native environments. A misconfigured host or cluster could be exploited to run any container the attacker wants to deploy. This would cause outages on the target's service. It can also be used to perform lateral movement to other services, compromising sensitive data.

The Oracle WebLogic Server Admin Console RCE vulnerability CVE-2020-14750, which was publicized in November 2020, is still highly exploited by malware campaigns like the Kinsing malware, as we confirmed from our honeypots and customer trigger data.

The Kinsing campaign involves disabling other malware and security solutions, cleaning logs, and creating commands before loading the main cryptominer payload. The network can get infected by connecting to each device laterally, so malware can be activated in all the machines connected to the targeted network.

Figure 10. Kinsing campaign infection chain

We took a deep dive into the Kinsing campaign techniques in our tech brief.

We used Cloud One and Trend Micro Vision One to help analyze this campaign. We discuss our detections in the following section.

Trend Micro Cloud One

IPS detection

Through IPS, we were able to detect an incoming malicious behavior that exploits CVE-2020-14882. This was identified through rule 1010590 - Oracle WebLogic Server RCE vulnerabilities CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.

Figure 11. IPS detection for CVE-2020-14882 exploitation

Antimalware Detections

We were then able to detect several malicious files: the master script (detected by Trend Micro as Trojan.SH.CVE20207961.SM), Kinsing (detected by Trend Micro as Coinminer.Linux.MALXMR.PUWEMA), and Kdevtmpfsi (detected by Trend Micro as Coinminer.Linux.MALXMR.SMDSL64).

Figure 12. wb.sh master script detection
Figure 13. Kinsing detection
Figure 14. kdevtmpfsi detection
Trend Micro Vision One

Trend Micro Vision One Workbench

Through Trend Micro Vision One, we were able to track the activities related to the Kinsing campaign. This includes vulnerability exploitation, suspicious outbound traffic, bash shell script execution, and the presence of a malicious component (kdevtmpfsi).

Figure 15. Malicious outbound traffic detection
Figure 16. Bash script detection
Figure 17. kdevtmpfsi detection

Root Cause Analysis

The root cause analysis shows more insight into the behavior of the shell script, as well as how kdevtmpfsi emerged from Kinsing.

Figure 18. Kinsing campaign root cause analysis

Trend Micro Vision One Observed Attack Techniques (OAT) Triggers

Trend Micro Vision One OAT shows the detection of the vulnerability exploitation. The risk level is marked as High.

Figure 19. Exploit detection
How to Protect Systems Against Vulnerability Exploit Campaigns

Vulnerability exploits can heavily compromise user and enterprise systems. The following are some of the best practices to combat these threats.

It is highly recommended for administrators to apply all patches as soon as possible, especially if their deployed servers match the known affected versions. This recommendation is also a possible preventative measure. Both Atlassianand Oracle WebLogic servers have released security guidelines for the vulnerabilities discussed here.

In addition to the vendor patches, security solutions can also help in further securing the system.

Trend Micro Vision One helps security teams have an overall view of attempts in ongoing campaigns by providing them a correlated view of multiple layers such as email, endpoints, email, endpoints, servers, and cloud workloads. Security teams can gain a broader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem benign when viewed from a single layer alone.

Trend Micro Cloud One - Workload Security helps defend systems against vulnerability exploits, malware, and unauthorized change. It can protect a variety of environments such as virtual, physical, cloud, and containers. Using advanced techniques like machine learning (ML) and virtual patching, the solution can automatically secure new and existing workloads both against known and new threats.

Trend Micro™ Deep Security™ensures malware prevention and network security and system security. Combined with Vulnerability Protection, it defends user systems from threats that target vulnerabilities. Both solutions protect users from exploits that target CVE-2021-26084 via the following rules:

  • 1011117 - Atlassian Confluence Server RCE vulnerability CVE-2021-26084

This rule is shipped in prevent mode by default and is included in the recommendation scan.

  • 1005934 - Identified Suspicious Command Injection Attack

These solutions also protect users from exploits that target CVE-2020-14750, CVE-2020-14882, and CVE-2020-14883 through the following rules:

  • 1010590 - Oracle WebLogic Server RCE vulnerabilities CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883

This rule is shipped in prevent mode by default and is included in the recommendation scan.

  • 1004090 - Identified Directory Traversal Sequence In Uri
Indicators of Compromise (IOCs)

Muhstik campaign

File Name

SHA 256

Trend Micro Pattern Detection














Kinsing campaign

File Name

SHA 256

Trend Micro Pattern Detection














Trend Micro Inc. published this content on 18 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 18 October 2021 12:11:04 UTC.

ę Publicnow 2021
07:31aTREND MICRO INCORPORATED : Analyzing How TeamTNT Used Compromised Docker Hub Accounts
11/30TREND MICRO INCORPORATED : What You Can Do to Mitigate Cloud Misconfigurations
11/29TREND MICRO INCORPORATED : Campaign Abusing Legitimate Remote Administrator Tools Uses Fak..
11/29AWS RE : Invent 2021 Guide: Checklist & Key Sessions
11/29TREND MICRO INCORPORATED : Cloud One Network Security-as-a-Service
11/24TREND MICRO INCORPORATED : COP26 Backs Electric Vehicles to Reduce Climate Change
11/23TREND MICRO INCORPORATED : BazarLoader Adds Compromised Installers, ISO to Arrival and Del..
11/19TREND MICRO INCORPORATED : This Week in Security News - November 19, 2021
11/19TREND MICRO INCORPORATED : Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Ema..
11/17TREND MICRO INCORPORATED : Analyzing ProxyShell-related Incidents via Trend Micro Managed ..
More news
Sales 2021 188 B 1 657 M 1 657 M
Net income 2021 34 873 M 308 M 308 M
Net cash 2021 182 B 1 605 M 1 605 M
P/E ratio 2021 26,6x
Yield 2021 2,86%
Capitalization 912 B 8 039 M 8 040 M
EV / Sales 2021 3,88x
EV / Sales 2022 3,60x
Nbr of Employees 6 975
Free-Float 95,4%
Duration : Period :
Trend Micro Incorporated Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO INCORPORATED
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 11
Last Close Price 6 550,00 JPY
Average target price 6 948,00 JPY
Spread / Average Target 6,08%
EPS Revisions
Managers and Directors
Yi Fen Chen President, Group CEO & Representative Director
Mahendra Negi Group CFO, Representative Director & VP
Ming Jang Chang Chairman
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
SEA LIMITED44.72%159 771