After a public vulnerability was disclosed in Atlassian’s Confluence app, hackers started searching for ways to exploit it to install crypto miners.
Atlassian Confluence is a popular web-based collaboration platform that allows employees to work seamlessly on projects.
On August 25, Atlassian released a security advisory for a remote code execution vulnerability (CVE-2021-26084) in the Confluence platform allowing an attacker to execute commands remotely.
“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance,” explains Atlassian’s advisory. “All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.”
These patches were released in the Long Term Support release. Atlassian recommends that users upgrade to the latest versions of the software.
Six days after Atlassian released an advisory about the vulnerability in its product, researchers published a technical report about the issue and a PoC. The PHP PoC exploit can be used to execute commands on a targeted server, drop other malware, such as web shells, or launch a program on the exploited server.
Soon after the article on PoC was published, companies started reporting that attackers were actively scanning and abusing the vulnerable Confluence servers.
Tiago Henriques, Director of Engineering at Coalition, detected penetration testers trying to find vulnerable Confluence servers.
Whereas, cybersecurity company Bad Packets detected more sophisticated threats carried out by individuals from different countries who tried to run Linux shell scripts and PowerShell scripts. Some attackers were trying to install cryptominers on flawed servers.
Other attackers used an active exploit to download the Kinsing malware on Linux servers to install coin miners.
While the current attacks are mainly for mining cryptocurrency, attackers can use it for more advanced attacks. These attacks could include the spread of arbitrary code, as well as the infiltration of a network.