Pierluigi Paganini August 30, 2024

Threat actors are actively exploiting a critical flaw in the Atlassian Confluence Data Center and Confluence Server in cryptocurrency mining campaigns.

The critical vulnerability CVE-2023-22527  (CVSS score 10.0) in the Atlassian Confluence Data Center and Confluence Server is being actively exploited for cryptojacking campaigns.

The vulnerability is a template injection vulnerability that can allow remote attackers to execute arbitrary code on vulnerable Confluence installs.

The flaw affects Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3. Most recent supported versions of Confluence Data Center and Server are not affected by this issue.

“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action.” reads the advisory published by the vendor. “This RCE (Remote Code Execution) vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy. Atlassian recommends patching to the latest version.”

The company addressed the vulnerability in January 2024 with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only).

Trend Micro researchers observed this vulnerability being actively exploited for cryptomining activities, with a surge in exploitation attempts from mid-June to the end of July 2024.

“The critical vulnerability CVE-2023-22527 is actively being exploited for cryptojacking activities, turning affected environments into cryptomining networks.” reads the report published by Trend Micro

“The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs.”

Trend Micro states that at least three different threat actors are exploiting the flaw in cryptomining campaigns. The first threat actor is using the XMRig miner to execute miner activity via an ELF file payload. A second threat actor used a shell script to execute cryptocurrency mining activities across all accessible endpoints in the customer environment using Secure Shell (SSH). The script used by the threat actor first terminates known cryptomining processes and those running from temporary directories. It then deletes all cron jobs and adds a new one to maintain command-and-control server connectivity. The script disables security services like Alibaba Cloud Shield and Tencent Cloud mirrors and collects IP addresses, users, and SSH keys to target other systems via SSH for cryptomining. The attacker uses multiple cron jobs to maintain persistence, downloads the XMRig miner, and ensures all security tools are disabled before beginning mining activities. In the last stage of the attack, threat actors clear logs and bash history to remove traces of their activities.

“With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide. To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.” concludes the report.

Organizations are urged to update their Confluence instances and implement security best practices to protect their systems.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Atlassian Confluence)