Security News > 2022 > June > Hackers exploit recently patched Confluence bug for cryptomining
A cryptomining hacking group has been observed exploiting the recently disclosed remote code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers.
Various proof of concept exploits were released in the days that followed, giving a broader base of malicious actors an easy way to exploit the flaw for their purposes.
One of the threat actors who took advantage of this offering is a cryptomining group called the "8220 gang," who, according to Check Point, perform mass net scans to find vulnerable Windows and Linux endpoints to plant miners.
Miners are special-purpose programs that use the host's available computational resources to mine cryptocurrencies like Monero for the threat actor.
The attack begins on both Linux and Windows systems by sending a specially crafted HTTP request that exploits CVE-2022-26134 and drops a base64-encoded payload. Next, the payload fetches an executable, a malware dropper script on Linux, and a child process spawner on Windows.
While the "8220 gang" exploits CVE-2022-26134 for cryptomining, other threat actors are installing web shells, creating new admin accounts, executing commands, and even taking complete control of the server.
News URL
Related news
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
- Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-03 | CVE-2022-26134 | Expression Language Injection vulnerability in Atlassian Confluence Data Center and Confluence Server In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. | 9.8 |