The critical hard-coded credentials flaw in Atlassian’s Questions For Confluence app (CVE-2022-26138) has been actively exploited in the wild a week after the patches were made available for it. The flaw only exists on servers that enabled the Questions for Confluence app, and the exploitation cases started right after the hard-coded credentials were made public on Twitter.
Atlassian advises users to update to the most recent versions of their products and apply security patches, as unpatched systems are frequently the targets of attacks. There are still vulnerabilities being discovered targeting vulnerable Confluence Servers and Data Centers.
CVE-2021-26084 and CVE-2022-26134 have been the two most susceptible to attack cases recently. Attackers utilize these RCE vulnerabilities to target vulnerable systems in attacks, installing malware like miners and web shells.
Attackers can use search engines like Shodan to look for vulnerable systems.
Godzilla Web Shell Attack
Web shells are malicious scripts that give threat actors access to web servers and launch more attacks. After being uploaded to a web server, it executes file navigation or system shell commands.
Godzilla is a powerful webshell malware that parses incoming HTTP POST requests, decrypts the data with a secret key, then executes the encrypted content to perform additional functionality before returning the result as an HTTP response. By doing so, attackers can postpone the execution of dynamically executing code that is likely to be identified as malicious on the target system.
Godzilla JSP WebShells, like the ones below, were used for the most recent attacks.
Distribution of Hezb CoinMiner is possible via CVE-2022-26134. An attempt to install Hezb on vulnerable Atlassian Confluence servers was discovered in June 2022. Hezb attacks begin with malware kill[.]bat, which disables Windows Defender scans and downloads mad[.]bat. mad.bat starts the installation process of Hezb once downloaded and registers XMRig (dom[.]exe) to start mining.
- Mining Pool: gulf.moneroocean[.]stream:10001
- Wallet Address: 46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN
- Password: dom.[ComputerName]
Some vulnerabilities let distribute z0miner, in this case, CVE-2021-26084, through powershell in vulnerable Atlassian Confluence servers. The powershell script wi.txt is utilized to force-terminate other miner applications that run in Task Scheduler. It then starts the installation of XMRig Miner, which runs in %TEMP% as javae[.]exe.
Settings data related to z0Miner, saved in config[.]json:
- Mining Pool: pool.supportxmr[.]com:80
- Wallet Address: 44Lu9jhKUuTVcSwGL1jLU6MKyFVNewBdL5mT13fjxLhFTSa5i6E5hMrAv1SmH16NYvc51GY6RnvQSKM4CDFFRov68aRFgYi
- Password: x
8220 Gang Miner Distribution
The CVE-2022-26134 vulnerability is being exploited by the attack group known as “8220 Gang” to target Linux and Windows servers. Ultimately, the gang installs Monero CoinMiner if the attack is successful (XMRig).
The powershell command below downloads and runs additional powershell scripts if the attack is successful.
The script also works as a downloader, running a specific URL to download and run the malicious program ps1-6[.]exe.
Additional payloads are dynamically loaded into memory by ‘ps1-6[.]exe’. The process’s payloads transform into injectors that perform process hollowing on the default ‘InstallUtil[.]exe’ process.
Downloading and injection tasks are carried out by the payload injected into InstallUtil[.]exe. From 185.157.160[.]214:8080, the complete payload is downloaded. The regular process “AddInProcess[.]exe” is then altered to include XMRig CoinMiner.
When the injector (InstallUtil[.]exe) executes “AddInProcress[.[exe,” setting information required for mining, such as the mining pool address and the wallet address, is run as an argument.
- Mining Pool: 51.79.175[.]139:8080
- Wallet Address: 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ
- Password: x
Vulnerable Web Shell Locations:
Godzilla JSP Webshell
Godzilla Webshell Dropper
Other IoCs can be found here.