Explore CVE-2023-22527 in Atlassian Confluence: Detailed analysis of cryptojacking attacks, methods, and essential security recommendations

Continue reading
CVE-2023-22527, a critical vulnerability found in Atlassian with a severity score of 10, is actively exploited for cryptojacking, transforming affected environments into cryptomining networks. Attackers employ techniques such as shell scripts, XMRig miners, targeting SSH endpoints, killing competing cryptomining processes, and establishing persistence through cron jobs. Organizations are urged to update their Confluence instances and adopt robust security practices.
On January 16, 2024, Atlassian disclosed [CVE-2023-22527]https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html), a critical vulnerability affecting Confluence Data Center and Server versions from 8.0.x through 8.5.3. This vulnerability, related to template injection, allows unauthenticated remote code execution (RCE), posing significant security risks.
Affected Versions:
| Product | Affected Versions |
|---|---|
| Confluence Data Center | 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 |
| Confluence Server | 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 |
Exploitation of CVE-2023-22527 involves leveraging a template injection vulnerability for remote code execution.
First Threat Actor: Utilizes XMRig miner via an ELF file payload. This attack vector demonstrates:

*Malicious request from the first threat actor*
Second Threat Actor: Implements a shell script executed via SSH across accessible endpoints, including:

*Malicious request from the second threat actor*
Shell Script Behavior:

*Detailed analysis of script functions and impacts*
Script Execution: After initial exploitation, the script:
Organizations should:
Additional Solutions:
1. SSH Lateral Movement:
eventSubId: 2 AND processCmd:ssh AND processCmd:oStrictHostKeyChecking AND processCmd:oBatchMode2. Malicious Cron Activities:
eventSubId: 2 AND (processCmd:cron OR objectCmd:cron) AND (processCmd:echo OR objectCmd:echo)Detailed indicators of compromise are available here.
| Tactic | Technique | Technique ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Defense Evasion | Disable or Modify Tools | T1562.001 |
| Clear Command History | T1070.003 | |
| Clear Linux or Mac System Logs | T1070.002 | |
| Command and Control | Ingress Tool Transfer | T1105 |
| Persistence |

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.
| Scheduled Task/Job: Cron |
| T1053.003 |
| Collection | Data from Local System | T1005 |
| Impact | Resource Hijacking | T1496 |