Critical Atlassian Vulnerability Exploited To Connect Servers In Mining Networks

Hackers usually shift their attention towards Atlassian due to flaws in its software, especially in products like Confluence, which put organizations’ private data at risk.

There are many exploits accessible over the Internet, and the ease of the attack vector is one reason that Atlassian servers are one of the desirable attack points.

Cybersecurity researchers at Trend Micro recently identified an Atlassian vulnerability that threat actors could exploit to connect servers in mining networks.

The vulnerability identified by researchers is tracked as “CVE-2023-22527,” which is marked as “Critical” with a CVSS score of 10.

Technical Analysis

On January 16, 2024, Atlassian disclosed CVE-2023-22527, which was found to affect Confluence Data Center and Server, enterprise-level collaboration platforms. 

In older versions, this vulnerability enables threat actors to exploit a template injection security flaw, which enables RCE (Remote Code Execution).

Besides this, the researchers observed a surge in exploitation attempts from mid-June to late July 2024, and they affirmed that this surge is primarily for cryptojacking purposes.

There are three threat actors were detected, and among them, one was found to be utilizing the XMRig miner via an ELF file payload.

The exploitation of this critical vulnerability poses significant risks to the Confluence instances that are affected. 

Not only that even it also gives the ability to the threat actors to compromise the system’s integrity, and resource allocation through unauthorized cryptocurrency mining activities.

Here below we have mentioned all the Confluence Data Center and Server versions that are affected:-

• 8.0.x
• 8.1.x
• 8.2.x
• 8.3.x
• 8.4.x
• 8.5.0-8.5.3

A threat actor used SSH to integrate cryptocurrency mining on available endpoints with a well-designed shell script that the actor deployed.

The script also terminated any active mining instances including those in the /tmp/ folders, modified temporally scheduled jobs to ping the C&C every 5 minutes, and turned off antivirus including Alibaba Cloud Shield and Tencent Cloud mirrors.

The target machine retrieved all system information available, including bash history, SSH config, and known hosts.

The script self-spreads to other systems via SSH with the following options:- 

• -oStrictHostKeyChecking=no
• -oBatchMode=yes
• -oConnectTimeout=3

To remain undetected, it added cron jobs in different directories and with different names (whoami, nginx, apache) over cubic’s acquisition croninit.d, cron.hourly, and cron.d files.

Once cloud monitoring services and the CVE-2023-22527 exploit were stopped, it downloaded the XMRig miner.

In this way, the solr.sh function made sure that some of the additional security mechanisms were disabled before the beginning of mining.

To add more, the rnv2ymcl function removed log files and bash log history records to eliminate anything about the compromise.

Cybersecurity analysts urged users to update the Confluence software immediately to mitigate the widespread exploitation of CVE-2023-22527.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download