Opportunistic threat actors were discovered actively exploiting a previously published severe security weakness in Atlassian Confluence deployments on Windows and Linux to deploy web shells that resulted in the execution of crypto miners on vulnerable systems.
The vulnerability, tracked as CVE-2021-26084 (CVSS score: 9.8), is an OGNL (Object-Graph Navigation Language) injection bug that might be exploited to gain arbitrary code execution on a Confluence Server or Data Center instance.
“A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a susceptible server,” Trend Micro researchers wrote in a technical write-up describing the flaw. “Successful exploitation may result in arbitrary code execution in the affected server’s security context.”
The flaw, which exists in Atlassian Confluence Server and Data Center’s Webwork module, is caused by poor validation of user-supplied input, leading the parser to evaluate rogue commands embedded within the OGNL expressions.
The in-the-wild assaults came after the United States Cyber Command issued a warning about mass exploitation attempts following the public revelation of the vulnerability in late August of this year.
Trend Micro discovered z0Miner, a trojan and crypto jacked, updated to exploit the remote code execution (RCE) issue to spread next-stage payloads that operate as a conduit to maintain persistence and run cryptocurrency mining software on the devices in one such assault. Imperva confirmed the findings in an independent study, identifying similar intrusion attempts targeted at executing the XMRig cryptocurrency miner and other post-exploitation scripts.
Musik, a China-linked botnet notorious for its wormlike self-propagating abilities to infect Linux servers and IoT devices since at least 2018, was also spotted by Imperva, Juniper, and Lacework.
Furthermore, Palo Alto Networks’ Unit 42 threat intelligence team stated that it spotted and stopped assaults aimed at uploading the customer’s password files, as well as downloading malware-laced scripts that downloaded a miner and even opening an interactive reverse shell on the system.
“As is frequently the case with RCE vulnerabilities, attackers will hurry to exploit compromised systems for their own gain,” Imperva researchers stated. “RCE vulnerabilities allow threat actors to quickly exploit susceptible computers for simple monetary gain by installing cryptocurrency miners and disguising their activities, thereby abusing the target’s processing resources.”