Researchers at Trend Micro published a report on Tuesday that z0Miner, a prolific malware threat that abuses compromised systems to mine cryptocurrency, has started using the recently-disclosed vulnerability CVE-2021-26084 to exploit Atlassian Confluence servers that have not had the latest security patch installed. Once the vulnerable servers are exploited, z0Miner downloads a PowerShell script, batch files, and a DLL file from servers at IP addresses 213.152.165.29 (Netherlands) and 27.1.1.34 (South Korea). The malware uses “reg add” commands in a Windows batch file to directly manipulate the Windows registry of the victim servers in order to install a new service named “Hyper-V Guest Virtualization Service” – the service installation will ensure that the malware runs whenever the server is restarted. Another of the malware’s scripts uses the “schtasks /create” command to install a service named “.NET Framework NGEN v4.0.30319 32” that actually uses PowerShell to download a malicious script that was hosted on Pastebin.com and execute it every five minutes. The Pastebin security team has already removed the project hosting the malicious script.
Analyst Notes
The most important action for systems administrators to take in response to this information is to promptly apply the security updates for Atlassian Confluence servers. The affected versions are 6.6.0, 6.13.0, 7.4.0, and 7.12.0. After patching the servers, it is also important to check for any signs that it was compromised during the time it was exposed in a vulnerable state. Companies that host servers that face the public Internet should isolate those servers from interacting with other computers on the internal corporate network and monitor the servers closely for unexpected events such as new services being installed, and unusual scripts being executed. It is also helpful to monitor for PowerShell, Windows Scripting Host processes, and other programs making connections to Pastebin.com or other public services that are abused by threat groups. Monitoring servers and quickly responding to security events requires a skilled Security Operations Center (SOC) operating 24 hours a day, seven days a week. A SOC can be staffed with internal employees or managed by a security service such as Binary Defense.
https://www.zdnet.com/article/this-cryptocurrency-miner-is-exploiting-the-new-confluence-remote-code-execution-bug/
