Last week, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.
Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.
Check Point Research (CPR) researchers observed a lot of exploitation attempts after the disclosure of the RCE, some of the malicious payloads employed in the attacks were used as part of the same campaign conducted by the same threat actor tracked by the security firm as 8220 gang.
The attacks were aimed at both Linux and Windows operating systems using different infection chains.
In attacks against Linux systems, the attackers exploited the flaw by sending a crafted HTTP request to the victim:
In attacks against Windows systems, the threat actors exploited the flaw to execute a PowerShell download cradle to initiate a fileless attack from a remote C&C server.
In the Linux attack chain, the payload fetches a malware dropper script and achieves persistence via cron jobs. In the Windows attack chain, the checkit2.exe process spawns a child process (InstallUtil.exe) which connects to the C2 server.
The malware downloads a new copy of itself, with a new name, to the Start Menu folder.
The crypto-miner now runs on the machine and exhausts all the system’s resources:
Both attack scenarios start with an initial crafted HTTP request exploiting the CVE-2022-26134 vulnerability. The attacker executes commands using the Java execution function to download a malicious payload to the victim’s machine.
The a[.]oracleservice.top domain and the crypto wallet we extracted from the system are related to a cybercriminal group called the “8220 gang”.