- Trend Micro found exploit samples abusing the Atlassian Confluence vulnerability in the wild for malicious cryptocurrency mining.
- Attackers can exploit the vulnerability by sending a specially crafted HTTP request which contains an Object-Graph Navigation Language expression.
- The unauthenticated remote code execution vulnerability has a critical rating of 9.8 in the collaboration tool Atlassian Confluence.
Trend Micro announced that a critical vulnerability affecting Atlassian Confluence is still being exploited in the wild for malicious cryptocurrency mining. The vulnerability, tracked as CVE-2022-26134, has a rating of 9.8. The company released a security advisory to help users with the mitigation for all affected products.
Malicious cryptocurrency mining
The vulnerability can be used for complete domain takeover of the infrastructure and the deployment of information stealers, remote access trojans, and ransomware when successfully exploited. Attackers can exploit the vulnerability by sending a specially crafted HTTP request which contains an Object-Graph Navigation Language expression in the HTTP request Uniform Resource Identifier, which results in remote code execution.
Attackers can also send an HTTP request to run an id command to see if the installed Confluence Server is vulnerable or not. The response can be read in a controlled HTTP response header.
Trend Micro announced that they have observed various organizations being targeted by attacks. Confluence’s website states that there are more than 75,000 customers using the collaboration tool for their business and work operations. Organizations that haven’t installed the patch or upgraded their respective subscriptions to a fixed version are urged to take action as soon as possible. Trend Micro said,
« Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises. Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself. Aside from the hezb malware, we observed Kinsing and the Dark.IoT malware from our honeypot abusing this vulnerability. Reports of cybercriminals exploiting this gap in attempts to deploy malware such as Mirai and web shells such as China Chopper have also emerged, with analyses detailing the abuse of vulnerable servers to spread and expand attacks. »