Cyber security experts stated that Atlassian Confluence’s critical remote code execution vulnerability is being targeted by several botnets. The vulnerability, tracked as CVE-2022-26134 allows attackers to create admin accounts, execute commands, and take over the server remotely. Botnets are infecting Linux servers that still use unpatched Atlassian Confluence Server and Data Center.
Cryptomining malware
Cybersecurity firm GreyNoise announced that they have detected a drastic increase after the proof-of-concept exploits are published publicly. The company said they pinpointed 23 IP addresses attempting to exploit over 200 targets.
Widespread Atlassian Confluence CVE-2022-26134 exploitation, specifically that is *confirmed functional*, has just started. 23 unique IPs so far.
-Tags available to all @GreyNoiseIO users now
– Create an account to deploy a dynamic block list to block ithttps://t.co/dbXTw2LWY6 pic.twitter.com/xXldngWdPH— Andrew Morris @ RSA (@Andrew___Morris) June 4, 2022
Lacework Labs also stated that they have detected three botnets, named Kinsing, Hezb, and Dark.IoT targeting the vulnerability. Kinsing is known for its attempts to install crypto mining malware by using another critical Atlassian Confluence vulnerability. Hezb also deployed Linux-compatible Cobalt Strike beacons and XMRig miners on vulnerable servers. Dark.IoT is known for infecting crypto miner payloads targeting Microsoft Azure VMs by exploiting devices with Realtek SDK. Lacework Labs said,
« Exploits involving Confluence are always popular among various threats including those targeting cloud. While Lacework Labs observed a lot of activity relative to other exploits, there is still low exposure compared to the more impactful “coffee break” vulnerabilities such as those involving log4j or apache. »