Menace actors are actively exploiting a now-patched, essential safety flaw impacting the Atlassian Confluence Knowledge Heart and Confluence Server to conduct illicit cryptocurrency mining on vulnerable cases.
“The assaults contain menace actors that make use of strategies such because the deployment of shell scripts and XMRig miners, focusing on of SSH endpoints, killing competing crypto mining processes, and sustaining persistence by way of cron jobs,” Development Micro researcher Abdelrahman Esmail stated.
The safety vulnerability exploited is CVE-2023-22527, a most severity bug in older variations of Atlassian Confluence Knowledge Heart and Confluence Server that would enable unauthenticated attackers to realize distant code execution. It was addressed by the Australian software program firm in mid-January 2024.
Development Micro stated it noticed a excessive variety of exploitation makes an attempt in opposition to the flaw between mid-June and finish of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At the very least three completely different menace actors are stated to be behind the malicious exercise –
- Launching XMRig miner by way of an ELF file payload utilizing specifically crafted requests
- Utilizing a shell script that first terminates competing cryptojacking campaigns (e.g., Kinsing), deletes all present cron jobs, uninstalls cloud safety instruments from Alibaba and Tencent, and gathers system info, earlier than organising a brand new cron job that checks for command-and-control (C2) server connectivity each 5 minutes and launching the miner
“With its steady exploitation by menace actors, CVE-2023-22527 presents a big safety danger to organizations worldwide,” Esmail stated.
“To reduce the dangers and threats related to this vulnerability, directors ought to replace their variations of Confluence Knowledge Heart and Confluence Server to the most recent out there variations as quickly as doable.”
