Pierluigi Paganini September 30, 2021

Threat actors are actively exploiting the recently disclosed CVE-2021-26084 RCE vulnerability in Atlassian Confluence deployments.

Trend Micro researchers have spotted crypto-mining campaigns that are actively exploiting a recently disclosed critical remote code execution vulnerability in Atlassian Confluence deployments across Windows and Linux.

At the end of August, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects the Confluence enterprise collaboration product.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. ” reads the advisory published by the company.

The issue was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program, the vulnerability received a CVSS score of 9.8.

Affected versions are:

• version < 6.13.23
• 6.14.0 ≤ version < 7.4.11
• 7.5.0 ≤ version < 7.11.5
• 7.12.0 ≤ version < 7.12.5

An attacker could trigger the issue by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Threat actors started exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor. US Cyber Command (USCYBERCOM) also issued an alert to warn US organizations to address Atlassian Confluence CVE-2021-26084 vulnerability immediately.

Researchers from Threat intelligence firm Bad Packets also detected mass scanning and exploit activity targeting Atlassian Confluence servers vulnerable to the above RCE.

Now Trend Micro researchers shared technical details of the vulnerability and published a report for a crypto-currency mining campaign distributing z0Miner.

“Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian’s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.” states Trend Micro. “Given the increasing popularity of the cryptocurrency market, we expect malware authors behind trojans like z0Miner to constantly update the techniques and entry vectors they use to gain a foothold within a system.”

Once the vulnerability is successfully exploited, z0Miner deploys web shells that will download a series of malicious files.

The malware uses several mechanisms to evade detection and gain persistence of the infected systems. Trend Micro reported that the miner installs the file vmicvguestvs.dll disguising as a legitimate integration service called “Hyper-V Guest Integration”

Experts recommend regularly update the systems and applications with the latest patches to prevent such attacks.

Trend Micro published MITRE ATT&CK Tactics and Techniques and Indicators of Compromise for the z0Miner campaign exploiting the Atlassian Confluence flaw.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency mining)

[adrotate banner=”5″]

[adrotate banner=”13″]