Exploits & Vulnerabilities
Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
September 21, 2022Read time: ( words)
We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organizations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.
Abusing the gap
Figure 1. Infection chain
The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.
To identify whether the installed Confluence Server is vulnerable, the attacker can send an HTTP request to run an id command. Upon successful exploitation, the attacker can read its response in a controlled HTTP response header. From the sample we analyzed, executing the id command yielded an output of “X-Cmd-Response” header — the vulnerable server will execute the command and set its response in the attacker-defined header.
Figure 2. Attacker sends a malicious request to check for user information
Figure 3. The response to the attacker’s malicious request
Looking at the malware routine
Using Trend Micro Cloud One™ Workload Security modules to track the components and activities of the cryptocurrency malware used, we observed the following events and components:
- Intrusion Prevention System (IPS): Aside from blocking the exploitation of CVE-2022-26134 and other application vulnerabilities, IPS also tracked the incoming event’s traffic and the payload’s data and trigger. In this sample, the attacker injected an OGNL expression to download and run the ro.sh script in the victim’s machine. This script file downloaded another script, ap.sh.
Figure 4. IPS event on attack traffic
Figure 5. Payload data captured