Hackers are actively scanning for and exploiting a lately disclosed Atlassian Confluence distant code execution vulnerability to put in cryptominers after a PoC exploit was publicly launched.
Atlassian Confluence is a very fashionable web-based company crew workspace that permits workers to collaborate on tasks.
On August twenty fifth, Atlassian issued a safety advisory for a Confluence distant code execution (RCE) vulnerability tracked as CVE-2021-26084, permitting an unauthenticated attacker to remotely execute instructions on a susceptible server.
“An OGNL injection vulnerability exists that will enable an authenticated consumer, and in some cases unauthenticated consumer, to execute arbitrary code on a Confluence Server or Knowledge Heart occasion,” explains Atlassian’s CVE-2021-26084 advisory.
“All variations of Confluence Server and Knowledge Heart previous to the fastened variations listed above are affected by this vulnerability.”
Atlassian has launched patches for the vulnerabilities and recommends that customers improve to the Lengthy Time period Assist launch.
Confluence servers are actively exploited
Six days after Atlassian launched the advisory, researchers printed a technical writeup explaining the vulnerability, and a proof-of-concept exploit was publicly launched.
This PHP PoC exploit could be very simple to make use of, and if profitable, will execute a command on the focused server. For instance, attackers may use these instructions to obtain different software program, equivalent to webshells, or launch a program on the exploited server.
Quickly after the article and PoC have been printed, cybersecurity corporations started reporting that menace actors and safety researchers have been actively scanning and exploiting susceptible Confluence servers.
For instance, Coalition Director of Engineering Tiago Henriques detected penetration testers looking for vulnerability Confluence servers, possible for bug bounties
Nevertheless, cybersecurity intelligence agency Dangerous Packets noticed extra nefarious exercise with menace actors from a number of international locations exploiting servers to obtain and run PowerShell or Linux shell scripts.
From samples of the exploits posted by Dangerous Packets, BleepingComputer confirmed that the menace actors are trying to put in cryptominers on each Home windows and Linux Confluence servers.
For instance, one attacker makes use of the next script to put in the XMRig cryptocurrency miner to mine for Monero, as proven under.
One other lively exploit shared with BleepingComputer makes an attempt to obtain the Kinsing malware on Linux servers additionally to put in coinminers.
Whereas the present assaults are being abused merely to mine cryptocurrency, there isn’t any motive menace actors can not use it for extra superior assaults, particularly if the confluence server is hosted on-premise.
These assaults may embody spreading laterally via a community, ransomware assaults, and knowledge exfiltration.
In case your group is working a Confluence server, it’s strongly advisable to put in the most recent updates as quickly as attainable.