Atlassian Confluence hacked to mine Monero

Reprensentational image depicting a mine worker toiling to mine cryptocurrency
(Image credit: Yevhen Vitte / Shutterstock)

The Jenkins project discovered that last week one of its deprecated Confluence servers fell victim to the recently disclosed remote code execution (RCE) vulnerability.

Jenkins is a popular open source tool that helps automate parts of software development.

Recently a proof-of-concept exploit code for the Confluence vulnerability, tracked as CVE-2021-26084, became public, and it didn’t take long for threat actors to begin scanning and exploiting vulnerable instances of the popular collaboration platform, for nefarious purposes like installing cryptominers.

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” members from the Jenkins project shared via a joint blog post.

Assuming the worst

For its part, Atlassian was quick to issue a patch to plug the security gaffe, but that didn’t dissuade the attackers.

In fact, the scanning and exploitation reached such levels that various cybersecurity agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the US Cyber Command (USCYBERCOM) issued advisories urging admins to patch their vulnerable servers without delay.

The compromised Confluence server at Jenkins had been deprecated since 2019, and the project’s infrastructure team had been migrating its content over to GitHub.

While the server has now been permanently disabled, the project shared that since the Confluence server was integrated with their identity management system, which also powers other services such as Jira, Artifactory, and several others, it’s conducting a thorough investigation.

At the moment it doesn’t appear any developer credentials were exfiltrated during the attack, but since Jenkins “cannot assert otherwise,” the project is assuming the worst and has reset passwords for all accounts in their integrated identity system.

“We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community,” shares the project.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.