This cryptocurrency miner is exploiting the new Confluence remote code execution bug | ZDNet

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year. 

Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0. 

Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE — and is known to be actively exploited in the wild. 

The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program.

z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.  

Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled. 

These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own — a miner that steals computing resources to generate Monero (XMR).

A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends — the Microsoft Exchange Server attacks being a prime example — vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.