Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Confluence servers. Show all posts

CloudSEK Blames Another Cybersecurity Company for the Hack

 

An Indian cybersecurity company claimed that another cybersecurity company had accessed its internal training website using a credential from a compromised collaboration platform. 

The CEO of Bengaluru-based CloudSEK, Rahul Sasi, declined to name the alleged offender other than to describe it as a "notorious Cyber Security organization that is into Dark web monitoring." 

An update to an ongoing cybersecurity incident was posted late Tuesday night by CloudSEK, which claims to use artificial intelligence to predict cyber threats. It stated that someone had obtained an employee's login information for the company's Atlassian Jira issue-tracking platform and used it to access the Atlassian Confluence server. 

Although "no database or server access was stolen," Sasi noted, the attacker grabbed "certain internal details including screenshots, issue reports, names of clients, and schema Diagrams." About two hours later, Sasi filed an update stating that attack indicators had pointed to the unnamed dark web monitoring firm. 

Sasi also reported that a hacker going by the handle "sedut" joined several forums for cybercriminals and refuted claims that they had gained access to the company's VPN, primary database, and Twitter account. CloudSEK acknowledges that a hacker did gain access to its Jira instance and retrieve some customer purchase orders. 

The company claims the hacker compromised a takedown account but was unable to reach the company's primary Twitter account. It continues that the allegedly authentic screenshots and video of the database that "sedut" released online was really stolen from training webpages that were published on Atlassian servers. The business claims that while the hacker did not obtain VPN login credentials, they did access its VPN IP addresses. 

Concerning how the employee's Jira credentials were hacked in the first place, the business claims that it shipped a broken staff laptop to a third-party vendor, who then returned it with the Vidar Stealer pre-installed. According to CloudSEK, the information thief operator published the employee's session cookies to a black market on the same day that the attacker bought them. 

An advertisement for supposed CloudSEK data has been posted in a criminal forum by a "sedut": $10,000 for the database, $8,000 for the code base, and $8,000 for employee and engineering product documentation. No "suspicious behavior" has been discovered, according to CloudSEK, in its code repositories.

Chinese Group Botnet Illegally Mine Crypto

 

Linux and cloud app vulnerabilities have been used by the 8220 Group crypto mining gang to expand their botnet to over 30,000 affected systems.

Over the course of just the previous month, SentinelOne researchers reported detecting this notable rise in the number of infected hosts. The malicious botnet, according to analysts, was only active on 2,000 servers worldwide by the middle of 2021.

The 8220 group has been operating at least since 2017. The hackers are China-based and the organization's name is derived from the port 8220 that the miner uses to connect to the C2 servers. 

Operation tactics

According to reports, the growth was spurred by the adoption of Linux, widespread vulnerabilities in cloud applications, and inadequately secured setups for services like Docker, Apache WebLogic, and Redis.

This group has used a publically available exploit in the past to breach confluence systems. Once inside, the attackers employ SSH brute force to spread out and commandeer the available computing power to operate crypto miners that point to untraceable pools.

Another improvement is the script's usage of block lists to prevent infections on particular hosts, usually, honeypots set up by security researchers.

Lastly, 8220 Gang has updated PwnRig, their proprietary crypto miner based on XMRig, an open-source Monero miner.

Microsoft researchers claim that the gang has actively upgraded its payloads and tactics over the past year. In a recent campaign, the organization targeted Linux systems running on i686 and x86 64 architectures and gained early access using RCE exploits for CVE-2022-26134 (Atlassian Confluence) CVE-2019-2725 (WebLogic) vulnerabilities.

In addition to underscoring a more intense "fight" to seize control of victim systems from rival cryptojacking-focused groups, the operations' expansion is seen as an effort to counteract the declining value of cryptocurrencies.



Confluence Servers are Being Targeted by the New Atom Silo Malware

 

A new ransomware operator is targeting Confluence servers, gaining initial access to susceptible systems by exploiting a recently reported vulnerability. According to Sean Gallagher and Vikas Singh of Sophos, the new threat actors, called Atom Silo, are exploiting the flaw in the hopes that Confluence server owners have yet to apply the essential security patches to fix the vulnerability. 

Atlassian Confluence is a web-based virtual workspace for businesses that allows teams to collaborate on projects and communicate. Atom Silo recently launched a two-day cyberattack, according to Sophos. The attackers were able to get initial access to the victim's corporate environment due to a vulnerability identified as CVE-2021-08-25. 

Atlassian released security fixes on August 25 to address a Confluence remote code execution (RCE) vulnerability that had been exploited in the wild and was tracked as CVE-2021-26084. They also discovered that the ransomware utilized by this new gang is nearly comparable to LockFile, which is quite similar to the LockBit malware.

Several innovative approaches that made it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries targeted to disrupt endpoint protection software, according to Atom Silo operators. Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to execute a second-stage stealthier backdoor on the compromised machine. 

"The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago," said Sean Gallagher, a senior threat researcher at Sophos. "In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware." 

According to Sophos, ransomware operators and other malware authors are becoming increasingly competent at exploiting these flaws, latching on publicly available proof-of-concept exploits for freshly discovered vulnerabilities and weaponizing them quickly to benefit from them. 

"To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks," they added.

Confluence servers hacked to install malware

Cybercriminals are now exploiting a vulnerability in Confluence servers to install cryptojacking malware. According to a report by Trend Micro, the vulnerability has been well documented in the past. However, at the time, it was being used to target victims with DDoS attacks.

Confluence is a widely popular planning and collaboration software developed by the Australian software giant, Atlassian. Trend Micro reported that it had noticed one of the vulnerabilities, CVE-2019-3396, in April, a month after Atlassian published an advisory covering the same. CVE-2019-3396 is a template injection in the Widget Connector that allows cybercriminals to execute code remotely on their victims’ machines.

The vulnerability was first used for a DDoS attack in Romania. However, the cybersecurity and analytics company revealed that hackers are now using it to install a Monero crypto miner that comes with a rootkit. The rootkit serves to hide the malware’s network activity. It also shows false CPU usage on the affected machine, misleading the user and further concealing the mining process. The report further revealed that the rootkit re-installs the malware should the victim manage to remove it.

The attack begins by sending a command to download a shell script hosted on Pastebin, an online content hosting service where users store plain text for a set period of time. The malware then kills off some of the processes running on the host machine before downloading other resources, also from Pastebin.

The vulnerability mainly targets older versions of Confluence, with Atlassian urging its users to download patched versions of Confluence Server and Data Center to protect themselves.

In recent times, cryptojacking has become increasingly popular with cybercriminals. The tactics are also advancing, with the criminals seeking to stay ahead of the security experts. As we reported recently, a new malware that targets Linux servers has been modified to shut down other crypto miners in the host’s system. Known as Shellbot, the malware uses the SSH brute force technique to infect servers that are connected to the internet and that have a weak password.