U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors use recently discovered CVE-2021-26084 Atlassian Confluence

Threat actors are actively exploiting the recently disclosed CVE-2021-26084 RCE vulnerability in Atlassian Confluence deployments. Trend Micro researchers have spotted crypto-mining campaigns that are actively exploiting a recently disclosed critical remote code execution vulnerability in Atlassian Confluence deployments across Windows and Linux. At the end of August, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects […]

Atlassian Confluence CVE-2023-22515

Threat actors are actively exploiting the recently disclosed CVE-2021-26084 RCE vulnerability in Atlassian Confluence deployments.

Trend Micro researchers have spotted crypto-mining campaigns that are actively exploiting a recently disclosed critical remote code execution vulnerability in Atlassian Confluence deployments across Windows and Linux.

At the end of August, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects the Confluence enterprise collaboration product.

Atlassian Confidence

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. ” reads the advisory published by the company.

The issue was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program, the vulnerability received a CVSS score of 9.8.

Affected versions are:

  • version < 6.13.23
  • 6.14.0 ≤ version < 7.4.11
  • 7.5.0 ≤ version < 7.11.5
  • 7.12.0 ≤ version < 7.12.5

An attacker could trigger the issue by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.

Threat actors started exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor. US Cyber Command (USCYBERCOM) also issued an alert to warn US organizations to address Atlassian Confluence CVE-2021-26084 vulnerability immediately.

Researchers from Threat intelligence firm Bad Packets also detected mass scanning and exploit activity targeting Atlassian Confluence servers vulnerable to the above RCE.

Now Trend Micro researchers shared technical details of the vulnerability and published a report for a crypto-currency mining campaign distributing z0Miner.

“Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian’s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.” states Trend Micro. “Given the increasing popularity of the cryptocurrency market, we expect malware authors behind trojans like z0Miner to constantly update the techniques and entry vectors they use to gain a foothold within a system.”

Once the vulnerability is successfully exploited, z0Miner deploys web shells that will download a series of malicious files.

The malware uses several mechanisms to evade detection and gain persistence of the infected systems. Trend Micro reported that the miner installs the file vmicvguestvs.dll disguising as a legitimate integration service called “Hyper-V Guest Integration”

Experts recommend regularly update the systems and applications with the latest patches to prevent such attacks.

Trend Micro published MITRE ATT&CK Tactics and Techniques and Indicators of Compromise for the z0Miner campaign exploiting the Atlassian Confluence flaw.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency mining)

[adrotate banner=”5″]

[adrotate banner=”13″]