Atlassian Confluence Bug Actively Exploited to Drop Cryptominers

After a public vulnerability was disclosed in Atlassian’s Confluence app, hackers started searching for ways to exploit it to install crypto miners.

Atlassian Confluence is a popular web-based collaboration platform that allows employees to work seamlessly on projects.

On August 25, Atlassian released a security advisory for a remote code execution vulnerability (CVE-2021-26084) in the Confluence platform allowing an attacker to execute commands remotely.

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance,” explains Atlassian’s advisory. “All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.”

These patches were released in the Long Term Support release. Atlassian recommends that users upgrade to the latest versions of the software.

Six days after Atlassian released an advisory about the vulnerability in its product, researchers published a technical report about the issue and a PoC. The PHP PoC exploit can be used to execute commands on a targeted server, drop other malware, such as web shells, or launch a program on the exploited server.

Soon after the article on PoC was published, companies started reporting that attackers were actively scanning and abusing the vulnerable Confluence servers.

Tiago Henriques, Director of Engineering at Coalition, detected penetration testers trying to find vulnerable Confluence servers.

Whereas, cybersecurity company Bad Packets detected more sophisticated threats carried out by individuals from different countries who tried to run Linux shell scripts and PowerShell scripts. Some attackers were trying to install cryptominers on flawed servers.

Other attackers used an active exploit to download the Kinsing malware on Linux servers to install coin miners.

While the current attacks are mainly for mining cryptocurrency, attackers can use it for more advanced attacks. These attacks could include the spread of arbitrary code, as well as the infiltration of a network.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.