Saturday, September 7, 2024
HomeCryptocurrency hackCritical Atlassian Vulnerability Exploited To Connect Servers In Mining Networks

Critical Atlassian Vulnerability Exploited To Connect Servers In Mining Networks

Published on

Hackers usually shift their attention towards Atlassian due to flaws in its software, especially in products like Confluence, which put organizations’ private data at risk.

There are many exploits accessible over the Internet, and the ease of the attack vector is one reason that Atlassian servers are one of the desirable attack points.

Cybersecurity researchers at Trend Micro recently identified an Atlassian vulnerability that threat actors could exploit to connect servers in mining networks.

- Advertisement - EHA

The vulnerability identified by researchers is tracked as “CVE-2023-22527,” which is marked as “Critical” with a CVSS score of 10.

Technical Analysis

On January 16, 2024, Atlassian disclosed CVE-2023-22527, which was found to affect Confluence Data Center and Server, enterprise-level collaboration platforms. 

In older versions, this vulnerability enables threat actors to exploit a template injection security flaw, which enables RCE (Remote Code Execution).

Besides this, the researchers observed a surge in exploitation attempts from mid-June to late July 2024, and they affirmed that this surge is primarily for cryptojacking purposes.

Attack chain used in the first attack vector (Source – Trend Micro)

There are three threat actors were detected, and among them, one was found to be utilizing the XMRig miner via an ELF file payload.

The exploitation of this critical vulnerability poses significant risks to the Confluence instances that are affected. 

Attack chain used in the second attack vector (Source – Trend Micro)

Not only that even it also gives the ability to the threat actors to compromise the system’s integrity, and resource allocation through unauthorized cryptocurrency mining activities.

Here below we have mentioned all the Confluence Data Center and Server versions that are affected:-

  • 8.0.x 
  • 8.1.x 
  • 8.2.x 
  • 8.3.x 
  • 8.4.x 
  • 8.5.0-8.5.3

A threat actor used SSH to integrate cryptocurrency mining on available endpoints with a well-designed shell script that the actor deployed.

The script also terminated any active mining instances including those in the /tmp/ folders, modified temporally scheduled jobs to ping the C&C every 5 minutes, and turned off antivirus including Alibaba Cloud Shield and Tencent Cloud mirrors.

The target machine retrieved all system information available, including bash history, SSH config, and known hosts.

The script self-spreads to other systems via SSH with the following options:- 

  • -oStrictHostKeyChecking=no
  • -oBatchMode=yes
  • -oConnectTimeout=3

To remain undetected, it added cron jobs in different directories and with different names (whoami, nginx, apache) over cubic’s acquisition croninit.d, cron.hourly, and cron.d files.

Once cloud monitoring services and the CVE-2023-22527 exploit were stopped, it downloaded the XMRig miner.

In this way, the solr.sh function made sure that some of the additional security mechanisms were disabled before the beginning of mining.

To add more, the rnv2ymcl function removed log files and bash log history records to eliminate anything about the compromise.

Cybersecurity analysts urged users to update the Confluence software immediately to mitigate the widespread exploitation of CVE-2023-22527.

Download FreeIncident Response Plan Templatefor Your Security TeamFree Download

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

SonicWall Access Control Vulnerability Exploited in the Wild

SonicWall has issued an urgent advisory regarding a critical vulnerability in its SonicOS management...

Apache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

A series of vulnerabilities affecting Apache OFBiz has come to light, raising significant cybersecurity...

Veeam Backup & Replication Vulnerabilities Let Attackers Execute Remote Code

Multiple critical vulnerabilities have been identified in Veeam Backup & Replication, a widely-used data...