Major Atlassian flaw hacks systems for crypto mining
Multiple groups are competing for control over vulnerable endpoints
Atlassian Confluence Data Center and Confluence Server used to carry a maximum severity vulnerability that allowed threat actors to remotely run any malicious code.
Despite the fix being available for months now, there are many unprotected endpoints out there.
As a result, hackers have been observed installing cryptocurrency miners on these devices, raking up huge electricity bills to the victims, as well as rendering their devices practically unusable.
Fighting for control
This is according to a new report from cybersecurity researchers Trend Micro. Published earlier this week, the report argues that crooks are competing with one another, deleting and installing cryptominers regularly.
The vulnerability is tracked as CVE-2023-22527. It is a critical, 10/10 severity flaw that allows for remote code execution, and that was patched in mid-January this year. However, since mid-June this year, crooks started scanning for vulnerable instances, dropping the XMRig miner where possible. XMRig is the most popular cryptominer out there, generating the Monero (XMR) cryptocurrency. Monero is described as a privacy coin, as it is virtually untraceable.
"The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs," Trend Micro researcher Abdelrahman Esmail said.
The part about “killing competing crypto mining processes” is particularly interesting. The researcher said that there are at least three different actors struggling to maintain control over these endpoints. Once they compromise the device, they will use a shell script to terminate previous miners, delete all existing cron jobs, uninstall cloud security tools, and gather system information. After that, they will set up a channel with the C2 server, and launch a new miner.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide," the researcher added. "To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible."
Via The Hacker News
More from TechRadar Pro
- Atlassian Confluence hacked to mine Monero
- Here's a list of the best firewall software around today
- These are the best malware removal tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.