Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware – Trend Micro

Exploits & Vulnerabilities

Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.

By: Sunil Bharti

September 21, 2022Read time:  ( words)

We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organizations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.

Abusing the gap

Figure 1. Infection chain

The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.

To identify whether the installed Confluence Server is vulnerable, the attacker can send an HTTP request to run an id command. Upon successful exploitation, the attacker can read its response in a controlled HTTP response header. From the sample we analyzed, executing the id command yielded an output of “X-Cmd-Response” header — the vulnerable server will execute the command and set its response in the attacker-defined header.

Figure 2. Attacker sends a malicious request to check for user information

Figure 3. The response to the attacker’s malicious request

Looking at the malware routine

Using Trend Micro Cloud One™  Workload Security modules to track the components and activities of the cryptocurrency malware used, we observed the following events and components:

• Intrusion Prevention System (IPS): Aside from blocking the exploitation of CVE-2022-26134 and other application vulnerabilities, IPS also tracked the incoming event’s traffic and the payload’s data and trigger. In this sample, the attacker injected an OGNL expression to download and run the ro.sh script in the victim’s machine. This script file downloaded another script, ap.sh.

Figure 4. IPS event on attack traffic

Figure 5. Payload data captured

• Web reputation module: Aside from blocking the malicious URL, we also observed the command-and-control (C&C) URL server that the malware was communicating with for the payload download routine.

Figure 6. Blocking the malicious URL

• Antimalware module: Aside from protecting the targeted system against the exploitation of the vulnerability in real time using behavior monitoring, the antimalware module can also detect and block the download of other components to execute the malware. In this sample, the scripts were downloading the cryptocurrency miner malware hezb.

Figure 7. Detecting the malicious cryptocurrency miner

• Activity monitoring module: This module detects process, file, and network activities on endpoints running Workload Security. From our analysis, the hezb malware initiated a process to communicate with the C&C server.

Figure 8. Telemetry event of a process initiated by the hezb malware

Tracking the shell scripts

Once the exploit payload is executed in the victim machine, the malware downloads the ro.sh/ap.sh shell script file. This shell script performs multiple actions and we break it down as follows:

1.      The script updates the path variable to include the /tmp and /dev/shm paths.

Figure 9. Updating the path variable

2.      If the curl utility is not present in the system, the script downloads and installs its own curl binary file from the C&C server.

Figure 10. Function to download the scripts and binaries

3.      Like many other cryptocurrency-mining malware, it disables the iptables or changes the firewall policy action to ACCEPT and flushes all the firewall rules.

Figure 11. Disabling the firewall

4.      The script downloads a binary file ko, which takes the advantage of the PwnKit vulnerability to escalate the privilege to the root user, while the binary file downloads the ap.sh shell script for the next actions.

Figure 12. Script downloading other resources

5.      The ap.sh script downloads the hezb malware and kills multiple processes that belong to other competing coin miners, disables cloud service provider agents, and proceeds with lateral movement.

Figure 13. Disabling cloud service provider agents

a.      The ap.sh script checks for the presence of hezb in the running process. If it is not found, the script downloads the binary file according to the system architecture (such as sys.x86_64), renames it to “hezb”, and communicates with its C&C server hosted at 106[.]252[.]252[.]226 using port 4545.

Figure 14. Downloading the malicious cryptocurrency miner

Figure 15. Detection of hezb connecting to its C&C server using Trend Micro Vision One™

b.      Under the /root and /home directories, the script scans for secure shell protocol (SSH) users, keys, and hosts in the .ssh directory and .bash_history file.

Figure 16. Collecting information for lateral movement via SSH

While doing lateral movement via SSH, the malware also downloads the ldr.sh script on the remote hosts. ldr.sh contains the hard-coded information of the miner wallet address that it needs to communicate with. Upon closer examination, we can see that the ldr.sh script has the same content as ro.sh and ap.sh, except for the process where the script simultaneously connects with the miner server and uses different IP addresses and arguments.  

Figure 17. Miner connecting to C&C server

Figure 18. Detection of vulnerability exploitation by observed attack techniques (OATs)

Figure 19. Trend Micro Vision One Workbench app detection of correlated events

We analyzed the script capable of changing the attribute of </etc/ld.so.preload> to make it mutable. </etc/ld.so.preload> does not commonly exist in the usual installation of Linux. The presence of this file and other paths to arbitrary executables could indicate malicious libraries, which also imply the presence of other malware. Making the file mutable clears the contents of the file by changing the file permissions to free the system’s resource because other malicious processes will be unable to work.

We also observed that it can scan the status of all mounted file systems in the </proc/mount> directory.

Figure 20. Tracking the telemetry activity of changing attributes with the Workbench app’s Execution Profile feature

Conclusion

Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises.  Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself. Aside from the hezb malware, we observed Kinsing and the Dark.IoT malware from our honeypot abusing this vulnerability. Reports of cybercriminals exploiting this gap in attempts to deploy malware such as Mirai and web shells such as China Chopper have also emerged, with analyses detailing the abuse of vulnerable servers to spread and expand attacks.

We’ve observed a number of companies who have been hit with the active exploitation of CVE-2022-26134. According to Confluence’s website, over 75,000 customers use the collaboration tool for their business and work operations, which implies that a number of industries could be vulnerable and overwhelmed with attacks if their respective platforms remain unpatched. Organizations who have yet to patch or upgrade their respective subscriptions to a fixed version are advised to apply the recommended mitigation steps from the official documentation released.

Trend Micro solutions

Trend Micro Vision One™ customers are protected from the abuse of this vulnerability and its accompanying malicious payloads via Workload Security with the following rules:

• 1011456: Atlassian Confluence and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
• 1008610: Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request

Workload Security’s correlation of telemetry and detections provide initial security context, allowing security teams and analysts to track and monitor the threats activities. In the next section, Trend Micro Vision One provides more details into the paths and events in real time.

Using Trend Micro Vision One, the observed attack techniques (OATs) is generated from individual events that provide security teams and analysts with security value. To investigate the possible attempts of exploitation using this vulnerability, analysts can look for these OAT IDs from the other helper OAT triggers indicative of suspicious activities on the affected host, such as:

1. F2588 – Atlassian Vulnerability Exploitation
2. F2358 – Recursive File Deletion via RM Command 
3. F2360 – Process Discovery via PS command 
4. F4584 – Identified Transfer of Suspicious Files Over Network 
5. F3737 – Curl Execution 
6. F4868 – Wget Execution 
7. F2918 – View File via Cat Command 
8. F4986 – Malware Detection 
9. F2140 – Malicious Software 
10. F2681 – Display Users and Groups List 
11. F2763 – Malicious URL

The Trend Micro Vision One Workbench app helps analysts see the significant correlated events intelligently based on occurrences throughout the entire fleet of workloads. Analysts can view the different fields of interest that are considered important and provide security value, allowing security teams to see the compromised assets and isolate those that can be potentially affected while patching procedures are in progress. Using the Execution Profile feature in Vision One, analysts can through the extensive list of actions performed by an adversary from the search app or the threat hunting app to look for different activities observed in a given time frame.

Indicators of Compromise (IOCs)

You can find the full list of IOCs here.

MITRE ATT&CK Techniques