Approx. read time: 2.4 min.
Post: Hackers attack Confluence Servers, hijack power for cryptocurrency mining
Hackers Target Confluence Servers for Illicit Cryptocurrency Mining
Hackers have recently launched attacks on Confluence Servers to exploit their resources for illicit cryptocurrency mining, primarily targeting Monero. According to Trend Micro, the attackers are taking advantage of CVE-2019–3396, a vulnerability within the Widget Connector macro of Atlassian Confluence Server. This flaw allows for path traversal and remote code execution through server-side injection, enabling hackers to hijack system resources.
On March 20, 2019, Atlassian released a patch to address this critical security flaw, along with a fix for CVE-2019-3395, which resolved a WebDAV endpoint vulnerability. This issue allowed attackers to send arbitrary HTTP and WebDAV requests from Confluence Server or Data Center instances.
The Mining Campaign Targets Unpatched Servers
Despite the availability of patches, many Confluence systems remain unpatched, leaving them vulnerable to exploitation. In this recent campaign, hackers aim to mine Monero on compromised servers. Researchers Augusto Remillano II and Robert Malagad from Trend Micro report that CVE-2019-3396 was previously exploited to drop Gandcrab ransomware but is now used to deliver rootkits and cryptocurrency mining malware onto unprotected systems.
The infection process begins when the attacker sends a remote command to fetch a shell script from Pastebin. This initial script has capabilities to kill processes and download a second shell script, which eventually leads to the download of a third script from Pastebin. These scripts work together to install the Kerberods Trojan dropper.
Kerberods and Cryptocurrency Mining
Once installed, the Kerberods malware deploys the “khugepageds” cryptocurrency miner, which has been flagged as Coinminer.Linux.MALXMR.UWEJI, alongside a rootkit. The rootkit helps mask the mining activities from system administrators by concealing the miner’s resource usage.
The rootkit is delivered as code that is later compiled using GCC. Additionally, Kerberods is capable of spreading across networks via SSH using vulnerabilities in Jenkins automation servers, specifically CVE-2019-1003001 and CVE-2019-1003000. These security flaws allow for arbitrary code execution, facilitating the further spread of the malware.
Both Kerberods and its rootkit employ custom packers, making it harder for analysts to detect and analyze the malware. The rootkit hides the mining processes and forges CPU usage data to evade detection, effectively concealing the presence of cryptocurrency mining malware.
Urgent Need for Patch Application
Due to the widespread exploitation of Confluence Servers, it is crucial for system administrators to apply Atlassian’s patches immediately to secure their systems from these ongoing attacks.
Sources:
Related Posts
About the Author: Bernard Aybout (Virii8)
