Atlassian Confluence hacked to mine Monero

Reprensentational image depicting a mine worker toiling to mine cryptocurrency
(Image credit: Yevhen Vitte / Shutterstock)
Audio player loading…

The Jenkins project discovered that last week one of its deprecated Confluence servers fell victim to the recently disclosed (opens in new tab) remote code execution (RCE) vulnerability.

Jenkins is a popular open source (opens in new tab) tool that helps automate parts of software development.

Recently a proof-of-concept exploit code for the Confluence vulnerability, tracked as CVE-2021-26084, became public, and it didn’t take long for threat actors to begin scanning and exploiting vulnerable instances of the popular collaboration platform (opens in new tab), for nefarious purposes like installing cryptominers (opens in new tab).

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 (opens in new tab) exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” members from the Jenkins project shared via a joint blog post (opens in new tab).

Assuming the worst

For its part, Atlassian was quick to issue a patch to plug the security gaffe, but that didn’t dissuade the attackers.

In fact, the scanning and exploitation reached such levels (opens in new tab) that various cybersecurity (opens in new tab) agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the US Cyber Command (USCYBERCOM) issued advisories urging admins to patch their vulnerable servers without delay.

The compromised Confluence server at Jenkins had been deprecated since 2019, and the project’s infrastructure team had been migrating its content over to GitHub.

While the server has now been permanently disabled, the project shared that since the Confluence server was integrated with their identity management (opens in new tab) system, which also powers other services such as Jira, Artifactory, and several others, it’s conducting a thorough investigation.

At the moment it doesn’t appear any developer credentials were exfiltrated during the attack, but since Jenkins “cannot assert otherwise,” the project is assuming the worst and has reset passwords for all accounts in their integrated identity system.

“We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community,” shares the project.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.