Trend Micro researchers warn of an ongoing crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability.
The now-patched critical security flaw was disclosed by Atlassian in early June, at the time the company warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions that is being actively exploited in attacks in the wild.
“We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining.” reads the post published by Trend Micro. “If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware.”
The last stage of the attack chain consists in downloading the hezb malware and kills processes that are associated with other competing coin miners.
The shell script also disables cloud service provider agents from Alibaba and Tencent, then performs lateral movement via SSH.
Threat actors were also spotted deploying additional malicious payloads, including Kinsing and the Dark.IoT malware.
