Hackers are exploiting misconfigured servers running Docker, Confluence, and other services to eliminate cryptocurrency miners.
Researchers at Cado Security Labs recently took a look at one such malware campaign and noted how threat actors are using multiple “unique and unreported payloads,” including four Golang binaries, to automatically discover Apache Hadoop YARN, Docker, Confluence and Redis, vulnerable to CVE. 2022-26134, a remote unauthenticated OGNL injection vulnerability that allows remote code execution.
This flaw was first discovered two years ago, when threat actors attacked Confluence servers (typically the Confluence user on Linux installations). At the time, researchers said Confluence servers with Internet access were at “very high risk” and urged IT teams to apply the patch immediately. It seems that even now, two years later, not all users installed the available fixes.
Unidentified threat
The tools are also designed to exploit the flaw and remove a cryptocurrency miner, generate a reverse shell, and allow persistent access to compromised hosts.
Cryptocurrency miners are popular with cybercriminals as they take advantage of a server's high computing power to generate nearly untraceable profits.
One of the most popular cryptominers is called XMRig, a small program that mines the Monero coin. On the victim's side, however, not only are their servers unusable, but the miners would increase their electricity bill quite quickly.
For now, Cado cannot attribute the campaign to any specific threat actor, saying he would need the help of authorities to do so: “As always, it is worth emphasizing that without the capabilities of governments or law enforcement agencies , attribution is almost impossible. – Particularly when it comes to shell script payloads,” he said.
Still, he added that the shell script payloads are similar to those seen in attacks carried out by TeamTNT and WatchDog.