Select Page

This cryptocurrency miner is exploiting the new Confluence remote code execution bug

|

This cryptocurrency miner is exploiting the new Confluence remote code execution bug

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year. 

Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0. 

Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE — and is known to be actively exploited in the wild. 

The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program.

z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.  

Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled. 

These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own — a miner that steals computing resources to generate Monero (XMR).

A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends — the Microsoft Exchange Server attacks being a prime example — vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators.

Previous and related coverage

  • 170 Android cryptocurrency mining scam apps steal $350 000 from users

  • Does cybercrime impact cryptocurrency prices? Researchers find out

  • Thousands of PS4s seized in Ukraine in illegal cryptocurrency mining sting

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Source: https://www.zdnet.com/article/this-cryptocurrency-miner-is-exploiting-the-new-confluence-remote-code-execution-bug/#ftag=RSSbaffb68

Rate:

Related Posts

ProtonVPN gets serious speed boost with VPN Accelerator

ProtonVPN gets serious speed boost with VPN Accelerator

July 30, 2021

US Census Bureau hacked in January 2020 using Citrix exploit

US Census Bureau hacked in January 2020 using Citrix exploit

August 18, 2021

Cisco: Firewall manager RCE bug is a zero-day, patch incoming

Cisco: Firewall manager RCE bug is a zero-day, patch incoming

August 6, 2021

Services Australia testifies Cellebrite tech only used for fraud and identity theft cases

Services Australia testifies Cellebrite tech only used for fraud and identity theft cases

October 28, 2021