Hackers using Confluence servers to install cryptojacking malware

Cybercriminals are now exploiting a vulnerability in Confluence servers to install cryptojacking malware. According to a report by Trend Micro, the vulnerability has been well documented in the past. However, at the time, it was being used to target victims with DDoS attacks.

Confluence is a widely popular planning and collaboration software developed by the Australian software giant, Atlassian. Trend Micro reported that it had noticed one of the vulnerabilities, CVE-2019-3396, in April, a month after Atlassian published an advisory covering the same. CVE-2019-3396 is a template injection in the Widget Connector that allows cybercriminals to execute code remotely on their victims’ machines.

The vulnerability was first used for a DDoS attack in Romania. However, the cybersecurity and analytics company revealed that hackers are now using it to install a Monero crypto miner that comes with a rootkit. The rootkit serves to hide the malware’s network activity. It also shows false CPU usage on the affected machine, misleading the user and further concealing the mining process. The report further revealed that the rootkit re-installs the malware should the victim manage to remove it.

The attack begins by sending a command to download a shell script hosted on Pastebin, an online content hosting service where users store plain text for a set period of time. The malware then kills off some of the processes running on the host machine before downloading other resources, also from Pastebin.

The vulnerability mainly targets older versions of Confluence, with Atlassian urging its users to download patched versions of Confluence Server and Data Center to protect themselves.

In recent times, cryptojacking has become increasingly popular with cybercriminals. The tactics are also advancing, with the criminals seeking to stay ahead of the security experts. As we reported recently, a new malware that targets Linux servers has been modified to shut down other crypto miners in the host’s system. Known as Shellbot, the malware uses the SSH brute force technique to infect servers that are connected to the internet and that have a weak password.

Microsoft Korea also recently revealed that cryptojacking has become one of the most potent threats to South Korean companies. In its report, the firm urged South Korean companies to turn to cloud computing and to conduct regular training for its employees on how to steer clear of cyber threats.