Atlassian Confluence hacked to mine Monero
Criminals are using the incident to further improve the security of its infrastructure
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The Jenkins project discovered that last week one of its deprecated Confluence servers fell victim to therecently disclosedremote code execution (RCE) vulnerability.
Jenkins is a popularopen sourcetool that helps automate parts of software development.
Recently a proof-of-concept exploit code for the Confluence vulnerability, tracked as CVE-2021-26084, became public, and it didn’t take long for threat actors to begin scanning and exploiting vulnerable instances of the popularcollaboration platform, for nefarious purposes like installingcryptominers.
“Thus far in our investigation, we have learned that theConfluence CVE-2021-26084exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” members from the Jenkins project shared via a jointblog post.
Assuming the worst
For its part, Atlassian was quick to issue a patch to plug the security gaffe, but that didn’t dissuade the attackers.
In fact, the scanning and exploitationreached such levelsthat variouscybersecurityagencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the US Cyber Command (USCYBERCOM) issued advisories urging admins to patch their vulnerable servers without delay.
The compromised Confluence server at Jenkins had been deprecated since 2019, and the project’s infrastructure team had been migrating its content over to GitHub.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While the server has now been permanently disabled, the project shared that since the Confluence server was integrated with theiridentity managementsystem, which also powers other services such as Jira, Artifactory, and several others, it’s conducting a thorough investigation.
At the moment it doesn’t appear any developer credentials were exfiltrated during the attack, but since Jenkins “cannot assert otherwise,” the project is assuming the worst and has reset passwords for all accounts in their integrated identity system.
“We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community,” shares the project.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Sihoo Doro S100 ergonomic office chair review
