Atlassian Confluence RCE bug exploited for Crypto mining

Recently disclosed RCE exploit in Atlassian Confluence servers has been used by a crypto mining hacker organization to install miners on susceptible sites. The CVE-2022-26134 vulnerability was found as an actively exploited zero-day towards the end of May, and the vendor issued a remedy on June 3, 2022.

A crypto mining gang named 8220 gangs took advantage of the bug, by conducting bulk internet scans to discover unprotected Windows and Linux endpoints for installing the mines.

The attack starts with a specially crafted HTTP request that exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware dropper script, and a Windows child process spawner.

The miner will deplete all system resources in both circumstances, therefore the “8220 gang” is aiming for maximum profit until their malware is uprooted, rather than silently mining on infected servers, and attempting to remain undiscovered by using only a portion of the available processing capacity.

Finally, the Linux script looks for SSH keys on the server to propagate to other devices on the network that has been infiltrated.

Other threat actors include installing web shells, creating new admin accounts, executing commands, and even seizing entire control of the server while the “8220 gang” attacks CVE-2022-26134 for crypto mining.

Linux botnets like Kinsing, Hezb, and Dark.IoT are also taking use of the flaw to install backdoors and crypto miners. The only way to mitigate the serious weakness, according to Atlassian, is to install the security updates, which are now available for versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.