Overview 

In June 2022, Avertium published a Flash Notice regarding a remote code execution (RCE) vulnerability found in the collaboration tool of Atlassian Confluence. The vulnerability is tracked as CVE-2022-26134 and impacts all versions of Confluence Server and Confluence Data Center.  

Although Atlassian released updates for the vulnerability in June 2022, attackers are still compromising unpatched devices. Trend Micro discovered that the gap in security is being abused by attackers for malicious cryptocurrency mining. If left unpatched, an attacker could use CVE-2022-26134 for multiple attacks, such as domain takeover and the deployment of information stealers, remote access trojans, and ransomware.  

If you have not already done so, Atlassian recommends that you patch all Confluence and Data Center servers immediately by following their instructions, which you can find here. If you are unable to patch your servers, Atlassian has issued mitigations for Confluence 7.0.0 through version 7.18.0, which you can find here. The same recommendations from June 2022 still apply. 

 

 

New INDICATOR'S OF COMPROMISE (IOCS):

http://202.28.229.174/ap[.txt] 

http://202.28.229.174/kthmimu[.txt]  

http://202.28.229.174/sys.x86[_64]  

http://202.28.229.174/[ko]  

http://202.28.229.174/ldr[.sh]  

http://202.28.229.174/ap[.sh]  

http://202.28.229.174/[curl]  

http://202.28.229.174/[kik]  

aaa4aaa14e351350fccbda72d442995a65bd1bb8281d97d1153401e31365a3  

4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f 

f13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f  

202.28.229[.174] 

199.247.0[.216] 

106.251.252.226[:4545] 




 

Supporting documentation

Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware (trendmicro.com) 

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware/IOCs-atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.txt 

 

 

 

 

Related Reading: Atlassian Confluence Critical Hardcoded Password Vulnerability Under Active Exploitation

 

Contact us for more information about Avertium’s managed security service capabilities.