“Analyzing Cryptojacking through CVE-2023-22527: A Deep Dive into a Comprehensive Cryptomining Network”

  • Short Summary: The critical vulnerability CVE-2023-22527 is being exploited for cryptojacking, allowing attackers to turn affected systems into cryptomining networks. Methods include deploying shell scripts, targeting SSH endpoints, and maintaining persistence via cron jobs. Organizations are urged to update their Confluence instances and adopt security best practices.
  • Key Points:
    • CVE-2023-22527 is a critical vulnerability with a CVSS score of 10.
    • Affects Confluence Data Center and Server versions 8.0.x to 8.5.3.
    • Threat actors exploit the vulnerability for cryptojacking activities.
    • Methods of exploitation include using XMRig miners and shell scripts.
    • Attackers kill competing cryptomining processes and maintain persistence through cron jobs.
    • Organizations should update Confluence and implement security best practices.
    • Regular patch management and security audits are recommended.
  • MITRE ATT&CK TTPs – created by AI
    • Exploit Public-Facing Application (T1190)
      • Exploitation of CVE-2023-22527 for unauthorized access.
    • Command and Scripting Interpreter: Unix Shell (T1059.004)
      • Execution of shell scripts for cryptojacking.
    • Disable or Modify Tools (T1562.001)
      • Uninstalling security services to avoid detection.
    • Clear Command History (T1070.003)
      • Clearing logs and bash history to hide activities.
    • Clear Linux or Mac System Logs (T1070.002)
      • Removing system logs to cover tracks.
    • Ingress Tool Transfer (T1105)
      • Downloading mining tools and scripts to the compromised system.
    • Scheduled Task/Job: Cron (T1053.003)
      • Creating cron jobs to maintain persistence.
    • Data from Local System (T1005)
      • Gathering user information and SSH configurations for lateral movement.
    • Resource Hijacking (T1496)
      • Utilizing victim’s resources for cryptomining activities.

A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim’s system.

Summary

  • The critical vulnerability CVE-2023-22527 is actively being exploited for cryptojacking activities, turning affected environments into cryptomining networks.
  • The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs.
  • Organizations are advised to update their Confluence instances to the latest versions and implement security best practices and tools to defend their systems.
     

On Jan 16, 2024, Atlassian released a security advisory for CVE-2023-22527, a critical (score of 10) vulnerability  that affects Confluence Data Center and Confluence Server, which are enterprise-level deployments of Atlassian Confluence, a collaboration and documentation platform designed for teams and organizations to create, share, and collaborate on content.

In a previous blog entry, we provided a brief technical breakdown of CVE-2023-22527 and how a threat actor can potentially exploit it for malicious activities. Meanwhile, in this article, we will examine how attackers have been exploiting the vulnerability to launch cryptojacking attacks.

Technical analysis

By abusing CVE-2023-22527, an unauthenticated attacker has the potential to exploit a template injection vulnerability found in older versions of Confluence Data Center and Server, essentially enabling remote code execution (RCE) on the affected instance. 

Product Affected versions
Confluence Data Center and Server 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0-8.5.3

Table 1. Affected Confluence Data Center and Confluence Server versions

We observed this vulnerability being weaponized for cryptomining activities. In addition, we noticed a high number of exploitations attempts since from mid-June to the end of July, 2024.

Figure 1. DS-1011954 exploitation attempt hits for Deep Security

Figure 1. DS-1011954 exploitation attempt hits for Deep Security

Figure 2. C1WS-1011954 exploitation attempt hits for Cloud One Workload Security

Figure 2. C1WS-1011954 exploitation attempt hits for Cloud One Workload Security

Figure 3. TP-43721 exploitation attempt hits for TippingPoint

Figure 3. TP-43721 exploitation attempt hits for TippingPoint

We observed three main threat actors exploiting CVE-2023-22527 via malicious scripts.  The first threat actor using the XMRig miner to execute miner activity via an ELF file payload (shown in figure 4).

Figure 4. The malicious request from the first threat actor

Figure 4. The malicious request from the first threat actor

The attack chain used by the first threat actor is as follows:

Figure 5. Attack chain used in the first attack vector

Figure 5. Attack chain used in the first attack vector

Figure 6. Attack chain used in the second attack vector

Figure 6. Attack chain used in the second attack vector

Meanwhile, the second threat actor used a shell script to execute miner activity through a shell file over Secure Shell (SSH) for all accessible endpoints in the customer environment. As shown in Figure 6, the attacker downloaded the shell file and ran it with bash from memory. 

Figure 7. The malicious request from the second threat actor

Figure 7. The malicious request from the second threat actor

We analyzed this script, which revealed the following behaviors:

First, the script kills known cryptomining processes and any process being run from */tmp/* directories.

Figure 8. Killing processes related to known malware and any process being run from tmp directories

Figure 8. Killing processes related to known malware and any process being run from tmp directories

Next, it deletes all cron jobs, and adds a new one that runs every five minutes to check for command-and-control (C&C) server connectivity.

Figure 9. Function to clear cron jobs and maintain access on the server using scheduled task via contrab

Figure 9. Function to clear cron jobs and maintain access on the server using scheduled task via contrab

The der function is responsible for uninstalling security services such as Alibaba Cloud Shield, while also blocking the Alibaba Cloud Shield IP address. Meanwhile, the elif condition is used to uninstall Tencent Cloud mirrors.

Figure 10. Process termination for security services

Figure 10. Process termination for security services

Using the localgo function, the attacker identifies the current machine’s IP address and gathers all possible users, IP addresses, and keys from sources such as the user’s bash history, SSH configurations, and known hosts. This information is used to target other remote systems via SSH to execute cryptomining activities.

Figure 11: Setting the “localgo” function which uses SSH to brute force all available local endpoints to spread cryptomining scripts in the local network

Figure 11: Setting the “localgo” function which uses SSH to brute force all available local endpoints to spread cryptomining scripts in the local network

After the collecting the needed information, the attacker starts to automate cryptomining activities on other hosts via SSH:

ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp “command”
oStrictHostKeyChecking=no: Automatically accepts the host key without host verification.
oBatchMode=yes: Disables interactive password prompts.
oConnectTimeout=3: Sets a 3-second timeout for the connection attempt.

For the next function, cron, the attacker adds multiple cron jobs under different names (whoami, nginx, apache) in different locations (init.d, cron.hourly, cron.d) to maintain access to the server.

Figure 12. Maintaining access via cron

Figure 12. Maintaining access via cron

After ensuring that all cloud monitoring and security services are terminated or deleted, the attacker terminates the entry point process that exploits CVE-2023-22527 and downloads the XMRig miner to begin mining activities.

Figure 13. Downloading the mining configuration file and starting another shell (solr.sh) to begin mining activities

Figure 13. Downloading the mining configuration file and starting another shell (solr.sh) to begin mining activities

Before starting mining activities, the attacker uses the solr.sh function to ensure that all security tools that do not exist in the previous shell are terminated.

  Figure 14. The Attacker terminating and deleting known security tools and mining processes

Figure 14. The Attacker terminating and deleting known security tools and mining processes

Finally, for the last step in main rnv2ymcl, the attacker removes all their traces by clearing log and bash history.

  Figure 15: Clearing activities from the affected server

Figure 15: Clearing activities from the affected server

The following image shows the wallet information we gathered from the JSON file:

Figure 16. Wallet information from the JSON file

Figure 16. Wallet information from the JSON file

Conclusion and recommendations

With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide. To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.

Furthermore, organizations should consider implementing the following best practices for general vulnerability exploit protection:

Patch Management: Regularly updating and patching software, operating systems, and applications is the most effective method of preventing vulnerabilities from being exploited.

Network Segmentation: Isolating critical network segments from the broader network can reduce the impact of exploit-based attacks.

Regular Security Audits: Conducting security audits and vulnerability assessments can help uncover and address weaknesses in the infrastructure before they are exploited.

Incident Response Plan: Creating, testing, and maintaining an incident response plan helps organizations respond swiftly and effectively to security breaches and exploit attempts.

Trend Solutions

Implementing network-based access controls, using intrusion prevention systems like Trend Vision One™, and performing regular vulnerability scans can further bolster security.

Figure 17. Honeypot trigger 1 (top) and 2 (bottom)

Figure 17. Honeypot trigger 1 (top) and 2 (bottom)

Vision hunting queries

The following text lists potentially useful queries for threat hunting within Vision One:

Hunting SSH lateral movement using suspicious flags
eventSubId: 2 AND processCmd:ssh AND processCmd:oStrictHostKeyChecking AND processCmd:oBatchMode

Hunting for malicious echo updating or adding new cron activities
eventSubId: 2 AND (processCmd:cron OR objectCmd:cron) AND (processCmd:echo OR objectCmd:echo)

Indicators of Compromise

The indicators of compromise can be found here.

MITRE ATT&CK

Tactic Technique Technique ID
Initial Access Exploit Public-Facing Application T1190
Execution Command and Scripting Interpreter: Unix Shell T1059.004
Defense Evasion Disable or Modify Tools T1562.001
Clear Command History T1070.003
Clear Linux or Mac System Logs T1070.002
Command and Control Ingress Tool Transfer T1105
Persistence Scheduled Task/Job: Cron T1053.003
Collection Data from Local System T1005
Impact Resource Hijacking T1496 

Source: Original Post