Atlassian Confluence hacked to mine Monero
Criminals are using the incident to further improve the security of its infrastructure
The Jenkins project discovered that last week one of its deprecated Confluence servers fell victim to the recently disclosed remote code execution (RCE) vulnerability.
Jenkins is a popular open source tool that helps automate parts of software development.
Recently a proof-of-concept exploit code for the Confluence vulnerability, tracked as CVE-2021-26084, became public, and it didn’t take long for threat actors to begin scanning and exploiting vulnerable instances of the popular collaboration platform, for nefarious purposes like installing cryptominers.
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Here's our choice of the best malware removal software on the market
“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” members from the Jenkins project shared via a joint blog post.
Assuming the worst
For its part, Atlassian was quick to issue a patch to plug the security gaffe, but that didn’t dissuade the attackers.
In fact, the scanning and exploitation reached such levels that various cybersecurity agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the US Cyber Command (USCYBERCOM) issued advisories urging admins to patch their vulnerable servers without delay.
The compromised Confluence server at Jenkins had been deprecated since 2019, and the project’s infrastructure team had been migrating its content over to GitHub.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While the server has now been permanently disabled, the project shared that since the Confluence server was integrated with their identity management system, which also powers other services such as Jira, Artifactory, and several others, it’s conducting a thorough investigation.
At the moment it doesn’t appear any developer credentials were exfiltrated during the attack, but since Jenkins “cannot assert otherwise,” the project is assuming the worst and has reset passwords for all accounts in their integrated identity system.
“We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community,” shares the project.
- Protect your devices with these best antivirus software
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.