Between mid-June and the end of July 2024, researchers reported that it saw a significant amount of attempts to exploit the weakness, which was used to drop the XMRig miner on unpatched systems. It is believed that the malicious activity is being carried out by at least three distinct threat actors.

• XMRig miner launch using ELF file payload with custom-crafted requests.
• Employing a shell script to gather system information, delete all current cron jobs, uninstall cloud security tools from Tencent and Alibaba, end competing cryptojacking campaigns (like Kinsing), and then set up a new cron job that launches the miner and checks for command-and-control (C2) server connectivity every five minutes.

Due to threat actors' ongoing exploitation of it, CVE-2023-22527 poses a serious security risk to businesses all around the world. Administrators should update Confluence Data Center and Confluence Server to the most recent versions as soon as feasible to reduce the risks and dangers related to this vulnerability.

Impact

• Cryptocurrency Theft
• Code Execution
• Information Theft

Indicators of Compromise

URL

• http://45.144.3.216:10000/rnv2ymcl
• http://45.144.3.216:10000/starrail/config/v2.json
• http://45.144.3.216:10000/starrail/cbt2zip/setup.exe
• http://45.144.3.216:10000/solr.sh
• http://175.118.126.65:8002/js/l.txt
• http://95.85.93.196/h4

IP

• 45.144.3.216
• 175.118.126.65
• 95.85.93.196

MD5

• 9741b569c88166bbc9bbdc2dea6797b9
• b3bfc68de683391e674ada5ce72b584b
• a53a9ca8a074c7108f8412c3f8c1fc5d
• 2833c82055bf2d29c65cd9cf6684449a
• 2e32d010e8c85a608022b317e5cb1fa7

SHA-256

• c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819
• 3b6bb4d96a2bd862ced17976ce8fd747c38b91df1447061d027d6c0e280d2e83
• 7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79
• 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
• 759d825a05a3c593e8c4570d42c3169a5347067da44337c6842eb8b7470916e0

SHA-1

• 66b9dfae6a32b9b024b351b675275be7efcffff6
• d1b2e945d87df96ae11af7d6360f1cb0d8903457
• a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
• 75612233d32768186d0557dd39abbbd3284a2a29
• d2f532df4d35e94c60676d50ded838ae843e335e

Remediation

• Refer to Atlassian Website for patch, upgrade or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.