Menace actors are actively exploiting a now-patched, important safety flaw impacting the Atlassian Confluence Information Middle and Confluence Server to conduct illicit cryptocurrency mining on prone situations.
“The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs,” Development Micro researcher Abdelrahman Esmail mentioned.
The safety vulnerability exploited is CVE-2023-22527, a most severity bug in older variations of Atlassian Confluence Information Middle and Confluence Server that would permit unauthenticated attackers to realize distant code execution. It was addressed by the Australian software program firm in mid-January 2024.
Development Micro mentioned it noticed a excessive variety of exploitation makes an attempt towards the flaw between mid-June and finish of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At the least three completely different menace actors are mentioned to be behind the malicious exercise –
- Launching XMRig miner by way of an ELF file payload utilizing specifically crafted requests
- Utilizing a shell script that first terminates competing cryptojacking campaigns (e.g., Kinsing), deletes all present cron jobs, uninstalls cloud safety instruments from Alibaba and Tencent, and gathers system data, earlier than establishing a brand new cron job that checks for command-and-control (C2) server connectivity each 5 minutes and launching the miner
“With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide,” Esmail mentioned.
“To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.”