A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.
“If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware,” Trend Micro threat researcher Sunil Bharti said in a report.
The issue, tracked as CVE-2022-26134 (CVSS score: 9.8), was addressed by the Australian software company in June 2022.
In one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script (“ro.sh”) on the victim’s machine, which, in turn, fetched a second shell script (“ap.sh”).
The malicious code is designed to update the PATH variable to include additional paths such as “/tmp”, download the cURL utility (if not already present) from a remote server, disable iptables firewall, abuse the PwnKit flaw (CVE-2021-4034) to gain root privileges, and ultimately deploy the hezb crypto miner.
images from Hacker News