Threat actors exploit recently disclosed Atlassian Confluence flaw in cryptomining campaign

Pierluigi Paganini June 10, 2022

Threat actors are exploiting the recently disclosed CVE-2022-26134 RCE in Atlassian Confluence servers to deploy cryptocurrency miners.

CheckPoint researchers have observed threat actors exploiting the recently disclosed CVE-2022-26134 remote code execution vulnerability in Atlassian Confluence servers to deploy cryptocurrency miners.

Last week, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.

The issue was reported by security firm Volexity, CVE-2022-26134, and in the same week of its disclosure, Atlassian addressed the flaw in Confluence Server and Data Center products.

Multiple Proof-of-concept (PoC) exploits for the CVE-2022-26134 flaw have been released online.

Check Point Research (CPR) researchers observed a lot of exploitation attempts after the disclosure of the RCE, some of the malicious payloads employed in the attacks were used as part of the same campaign conducted by the same threat actor tracked by the security firm as 8220 gang.

The attacks were aimed at both Linux and Windows operating systems using different infection chains.

In attacks against Linux systems, the attackers exploited the flaw by sending a crafted HTTP request to the victim:

Atlassian attack Linux

In attacks against Windows systems, the threat actors exploited the flaw to execute a PowerShell download cradle to initiate a fileless attack from a remote C&C server.

Atlassian attack Win

In the Linux attack chain, the payload fetches a malware dropper script and achieves persistence via cron jobs. In the Windows attack chain, the checkit2.exe process spawns a child process (InstallUtil.exe) which connects to the C2 server.

Atlassian attack both

In an attempt to spread to other machines, the Linux script searches for ssh keys and attempts to establish a connection. Then the downloads the xms file from the C2 server and executes it.

“Both attack scenarios start with an initial crafted HTTP request exploiting the CVE-2022-26134 vulnerability. The attacker executes commands using the Java execution function to download a malicious payload to the victim’s machine.” reads the report published by Check Point, “The malicious payload then downloads an executable file according to the affected OS. Both executables run a crypto miner to utilize the victim’s resources for their own benefit.”

Check Point also shared Indicators of Compromise for these attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian Confluence)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment