Recently, opportunistic threat actors were found actively exploiting a newly reported severe security issue in Atlassian Confluence installations on Windows and Linux. Attackers installed web shells that facilitated the deployment of crypto miners on hacked computers.
Atlassian Confluence is a popular collaboration platform written in Java.
This vulnerability is tracked as CVE-2021-26084 and has a CVSS score of 9.8. It is an OGNL (Object-Graph Navigation Language) injection bug that may be used to execute arbitrary code on a Confluence Server or Data Center instance. Atlassian patched this vulnerability on August 25, 2021.
The researchers at Trend Micro said that a remote attacker could take advantage of this flaw by submitting a specially crafted HTTP request with a malicious parameter to a susceptible server.
The flaw, which affects Atlassian Confluence Server and Data Center’s Webwork module, originates from a lack of validation of user-supplied input, allowing the parser to evaluate rogue instructions inserted into OGNL expressions.
“An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the “\u0027” character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression,” Trend Micro explained.
Trend Micro observed in one of the attacks that z0Miner, a cryptojacker and trojan, was modified to use the remote code execution (RCE) weakness to distribute next-stage payloads that function as a route for maintaining persistence and deploying bitcoin mining software on the computers.
Other independent evaluations by Imperva confirmed the results, revealing similar infiltration attempts intended to execute the XMRig bitcoin miner and other post-exploitation scripts.
Furthermore, Palo Alto Networks’ Unit 42 threat intelligence team claimed it discovered and stopped attacks aimed at downloading malware-laced scripts that dropped a miner and even opened an interactive reverse shell on the system.
In cases related to RCE vulnerabilities, attackers usually hurry to exploit vulnerable systems for their advantage. By installing bitcoin miners and concealing their activities, threat actors can simply attack RCE vulnerabilities to achieve quick monetary gains.