Monday, October 3, 2022
HomeCyber SecurityAtlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Different Malware

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Different Malware


Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Different Malware

Exploits & Vulnerabilities

Customers are suggested to patch instantly: We discovered exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) within the wild for malicious cryptocurrency mining.
By: Sunil Bharti

September 21, 2022

Learn time:  ( phrases)

We noticed the lively exploitation of CVE-2022-26134, an unauthenticated distant code execution (RCE) vulnerability with a important score of 9.8 within the collaboration instrument Atlassian Confluence. The hole is being abused for malicious cryptocurrency mining. Confluence has already launched a safety advisory detailing the fixes mandatory for all affected merchandise, specifically all variations of Confluence Server and Confluence Information Heart. If left unremedied and efficiently exploited, this vulnerability might be used for a number of and extra malicious assaults, similar to a whole area takeover of the infrastructure and the deployment info stealers, distant entry trojans (RATs), and ransomware. Customers and organizations are suggested to improve to the fastened variations, apply the obtainable patches, or to use short-term fixes as quickly as attainable to mitigate the dangers of abuse.
Abusing the hole

Determine 1. An infection chain

The vulnerability could be exploited by sending a specifically crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression within the HTTP request Uniform Useful resource Identifier (URI) to the sufferer server, leading to an RCE.
To establish whether or not the put in Confluence Server is weak, the attacker can ship an HTTP request to run an id command. Upon profitable exploitation, the attacker can learn its response in a managed HTTP response header. From the pattern we analyzed, executing the id command yielded an output of “X-Cmd-Response” header — the weak server will execute the command and set its response within the attacker-defined header.

Determine 2. Attacker sends a malicious request to examine for person info

Determine 3. The response to the attacker’s malicious request

Trying on the malware routine
Utilizing Development Micro Cloud One™  Workload Safety modules to trace the elements and actions of the cryptocurrency malware used, we noticed the next occasions and elements:

Intrusion Prevention System (IPS): Apart from blocking the exploitation of CVE-2022-26134 and different software vulnerabilities, IPS additionally tracked the incoming occasion’s site visitors and the payload’s information and set off. On this pattern, the attacker injected an OGNL expression to obtain and run the script within the sufferer’s machine. This script file downloaded one other script,

Determine 4. IPS occasion on assault site visitors

Determine 5. Payload information captured

Net repute module: Apart from blocking the malicious URL, we additionally noticed the command-and-control (C&C) URL server that the malware was speaking with for the payload obtain routine.

Determine 6. Blocking the malicious URL

Antimalware module: Apart from defending the focused system towards the exploitation of the vulnerability in actual time utilizing conduct monitoring, the antimalware module may also detect and block the obtain of different elements to execute the malware. On this pattern, the scripts had been downloading the cryptocurrency miner malware hezb.

Determine 7. Detecting the malicious cryptocurrency miner

Exercise monitoring module: This module detects course of, file, and community actions on endpoints working Workload Safety. From our evaluation, the hezb malware initiated a course of to speak with the C&C server.

Determine 8. Telemetry occasion of a course of initiated by the hezb malware

Monitoring the shell scripts
As soon as the exploit payload is executed within the sufferer machine, the malware downloads the shell script file. This shell script performs a number of actions and we break it down as follows:
1.      The script updates the trail variable to incorporate the /tmp and /dev/shm paths.

Determine 9. Updating the trail variable

2.      If the curl utility just isn’t current within the system, the script downloads and installs its personal curl binary file from the C&C server.

Determine 10. Operate to obtain the scripts and binaries

3.      Like many different cryptocurrency-mining malware, it disables the iptables or modifications the firewall coverage motion to ACCEPT and flushes all of the firewall guidelines.

Determine 11. Disabling the firewall

4.      The script downloads a binary file ko, which takes the benefit of the PwnKit vulnerability to escalate the privilege to the foundation person, whereas the binary file downloads the shell script for the subsequent actions.

Determine 12. Script downloading different assets

5.      The script downloads the hezb malware and kills a number of processes that belong to different competing coin miners, disables cloud service supplier brokers, and proceeds with lateral motion.

Determine 13. Disabling cloud service supplier brokers

a.      The script checks for the presence of hezb within the working course of. If it’s not discovered, the script downloads the binary file in accordance with the system structure (similar to sys.x86_64), renames it to “hezb”, and communicates with its C&C server hosted at 106[.]252[.]252[.]226 utilizing port 4545.

Determine 14. Downloading the malicious cryptocurrency miner

Determine 15. Detection of hezb connecting to its C&C server utilizing Development Micro Imaginative and prescient One™

b.      Below the /root and /dwelling directories, the script scans for safe shell protocol (SSH) customers, keys, and hosts within the .ssh listing and .bash_history file.

Determine 16. Gathering info for lateral motion by way of SSH

Whereas doing lateral motion by way of SSH, the malware additionally downloads the script on the distant hosts. comprises the hard-coded info of the miner pockets handle that it wants to speak with. Upon nearer examination, we are able to see that the script has the identical content material as and, aside from the method the place the script concurrently connects with the miner server and makes use of totally different IP addresses and arguments.  

Determine 17. Miner connecting to C&C server

Determine 18. Detection of vulnerability exploitation by noticed assault methods (OATs)

Determine 19. Development Micro Imaginative and prescient One Workbench app detection of correlated occasions

We analyzed the script able to altering the attribute of </and many others/> to make it mutable. </and many others/> doesn’t generally exist within the ordinary set up of Linux. The presence of this file and different paths to arbitrary executables may point out malicious libraries, which additionally suggest the presence of different malware. Making the file mutable clears the contents of the file by altering the file permissions to free the system’s useful resource as a result of different malicious processes will likely be unable to work.
We additionally noticed that it might probably scan the standing of all mounted file techniques within the </proc/mount> listing.

Determine 20. Monitoring the telemetry exercise of fixing attributes with the Workbench app’s Execution Profile characteristic

Though we’ve noticed the abuse of this vulnerability for illicit cryptocurrency-mining actions by cybercriminals, we additionally urge customers to prioritize patching this hole as quickly as attainable since it’s pretty easy to take advantage of it for different subsequent compromises.  Attackers may benefit from injecting their very own code for interpretation and acquire entry to the Confluence area being focused, in addition to conduct assaults starting from controlling the server for subsequent malicious actions to damaging the infrastructure itself. Apart from the hezb malware, we noticed Kinsing and the Darkish.IoT malware from our honeypot abusing this vulnerability. Stories of cybercriminals exploiting this hole in makes an attempt to deploy malware similar to Mirai and internet shells similar to China Chopper have additionally emerged, with analyses detailing the abuse of weak servers to unfold and increase assaults.
We’ve noticed a variety of firms who’ve been hit with the lively exploitation of CVE-2022-26134. In accordance with Confluence’s web site, over 75,000 clients use the collaboration instrument for his or her enterprise and work operations, which means that a variety of industries might be weak and overwhelmed with assaults if their respective platforms stay unpatched. Organizations who’ve but to patch or improve their respective subscriptions to a set model are suggested to use the really helpful mitigation steps from the official documentation launched.
Development Micro options
Development Micro Imaginative and prescient One™ clients are protected against the abuse of this vulnerability and its accompanying malicious payloads by way of Workload Safety with the next guidelines:

1011456: Atlassian Confluence and Information Heart Distant Code Execution Vulnerability (CVE-2022-26134)
1008610: Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request

Workload Safety’s correlation of telemetry and detections present preliminary safety context, permitting safety groups and analysts to trace and monitor the threats actions. Within the subsequent part, Development Micro Imaginative and prescient One supplies extra particulars into the paths and occasions in actual time.
Utilizing Development Micro Imaginative and prescient One, the noticed assault methods (OATs) is generated from particular person occasions that present safety groups and analysts with safety worth. To analyze the attainable makes an attempt of exploitation utilizing this vulnerability, analysts can search for these OAT IDs from the opposite helper OAT triggers indicative of suspicious actions on the affected host, similar to:

F2588 – Atlassian Vulnerability Exploitation
F2358 – Recursive File Deletion by way of RM Command 
F2360 – Course of Discovery by way of PS command 
F4584 – Recognized Switch of Suspicious Recordsdata Over Community 
F3737 – Curl Execution 
F4868 – Wget Execution 
F2918 – View File by way of Cat Command 
F4986 – Malware Detection 
F2140 – Malicious Software program 
F2681 – Show Customers and Teams Listing 
F2763 – Malicious URL

The Development Micro Imaginative and prescient One Workbench app helps analysts see the numerous correlated occasions intelligently based mostly on occurrences all through your complete fleet of workloads. Analysts can view the totally different fields of curiosity which can be thought-about essential and supply safety worth, permitting safety groups to see the compromised property and isolate these that may be probably affected whereas patching procedures are in progress. Utilizing the Execution Profile characteristic in Imaginative and prescient One, analysts can by the intensive record of actions carried out by an adversary from the search app or the risk searching app to search for totally different actions noticed in a given time-frame.
Indicators of Compromise (IOCs)
Yow will discover the complete record of IOCs right here.

Exploit Public-Going through Software
Hijack Execution Stream: Path Interception by PATH Atmosphere Variable
File and Listing Permissions Modification: Linux and Mac File and Listing Permissions Modification
Conceal Artifacts: Hidden Recordsdata and Directories
Software program Discovery
Impair Defenses: Disable or Modify System Firewall
Indicator Removing on Host: File Deletion
Scheduled Process/Job: Cron
Useful resource Hijacking
System Info Discovery
Distant System Discovery
Distant Companies: SSH





Most Popular

Recent Comments