Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Major Atlassian flaw hacks systems for crypto mining

Crypto mining.

Atlassian Confluence Data Center and Confluence Server used to carry a maximum severity vulnerability that allowed threat actors to remotely run any malicious code.

Despite the fix being available for months now, there are many unprotected endpoints out there.

As a result, hackers have been observed installing cryptocurrency miners on these devices, raking up huge electricity bills to the victims, as well as rendering their devices practically unusable.

Fighting for control

This is according to a new report from cybersecurity researchers Trend Micro. Published earlier this week, the report argues that crooks are competing with one another, deleting and installing cryptominers regularly.

The vulnerability is tracked as CVE-2023-22527. It is a critical, 10/10 severity flaw that allows for remote code execution, and that was patched in mid-January this year. However, since mid-June this year, crooks started scanning for vulnerable instances, dropping the XMRig miner where possible. XMRig is the most popular cryptominer out there, generating the Monero (XMR) cryptocurrency. Monero is described as a privacy coin, as it is virtually untraceable.

"The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs," Trend Micro researcher Abdelrahman Esmail said.

The part about “killing competing crypto mining processes” is particularly interesting. The researcher said that there are at least three different actors struggling to maintain control over these endpoints. Once they compromise the device, they will use a shell script to terminate previous miners, delete all existing cron jobs, uninstall cloud security tools, and gather system information. After that, they will set up a channel with the C2 server, and launch a new miner.

"With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide," the researcher added. "To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible."

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.