Atlassian Confluence Data Center and Confluence Server used to carry a maximum severity vulnerability that allowed threat actors to remotely run any malicious code.
Despite the fix being available for months now, there are many unprotected endpoints out there.
As a result, hackers have been observed installing cryptocurrency miners on these devices, raking up huge electricity bills to the victims, as well as rendering their devices practically unusable.
Fighting for control
This is according to a new report from cybersecurity researchers Trend Micro. Published earlier this week, the report argues that crooks are competing with one another, deleting and installing cryptominers regularly.
The vulnerability is tracked as CVE-2023-22527. It is a critical, 10/10 severity flaw that allows for remote code execution, and that was patched in mid-January this year. However, since mid-June this year, crooks started scanning for vulnerable instances, dropping the XMRig miner where possible. XMRig is the most popular cryptominer out there, generating the Monero (XMR) cryptocurrency. Monero is described as a privacy coin, as it is virtually untraceable.
“The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs,” Trend Micro researcher Abdelrahman Esmail said.
The part about “killing competing crypto mining processes” is particularly interesting. The researcher said that there are at least three different actors struggling to maintain control over these endpoints. Once they compromise the device, they will use a shell script to terminate previous miners, delete all existing cron jobs, uninstall cloud security tools, and gather system information. After that, they will set up a channel with the C2 server, and launch a new miner.
“With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide,” the researcher added. “To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.”
Via The Hacker News