The newly disclosed remote code execution weakness in Atlassian Confluence servers has been used by a crypto mining hacker organization to install miners on susceptible sites. The CVE-2022-26134 vulnerability was found as an actively exploited zero-day towards the end of May, and the vendor issued a remedy on June 3, 2022.
In the days that followed, a slew of proof-of-concept exploits was revealed, allowing a wider range of hostile actors a simple way to take advantage of the issue.
A crypto mining gang known as the “8220 gangs” took advantage of this offering, according to Check Point, by doing bulk net scans to discover unprotected Windows and Linux endpoints on which to plant miners.
Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host’s available computational capabilities. Reduced server performance, increased hardware wear, increased operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system. The attack starts with a specially crafted HTTP request that exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware dropper script, and a Windows child process spawner.
The miner will deplete all system resources in both circumstances, therefore the “8220 gang” is aiming for maximum profit until their malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity.
Finally, the Linux script looks for SSH keys on the server in an attempt to propagate to other devices on the network that has been infiltrated.
Other threat actors include installing web shells, creating new admin accounts, executing commands, and even seizing entire control of the server while the “8220 gang” attacks CVE-2022-26134 for crypto mining.
According to Greynoise statistics, exploitation efforts peaked on June 6, 2022, but malicious attempts are still being detected at a significant rate today.
Linux botnets like Kinsing, Hezb, and Dark.IoT are also taking use of the flaw to install backdoors and crypto miners.
The only way to mitigate the serious weakness, according to Atlassian, is to install the security updates, which are now available for versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.
