ALPS blog

We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already released a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organizations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.

Abusing the gap

Figure 1. Infection chain

The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.

To identify whether the installed Confluence Server is vulnerable, the attacker can send an HTTP request to run an id command. Upon successful exploitation, the attacker can read its response in a controlled HTTP response header. From the sample we analyzed, executing the id command yielded an output of “X-Cmd-Response” header — the vulnerable server will execute the command and set its response in the attacker-defined header.

Figure 2. Attacker sends a malicious request to check for user information
Figure 3. The response to the attacker’s malicious request

Looking at the malware routine

Using Trend Micro Cloud One™  Workload Security modules to track the components and activities of the cryptocurrency malware used, we observed the following events and components:

  • Intrusion Prevention System (IPS): Aside from blocking the exploitation of CVE-2022-26134 and other application vulnerabilities, IPS also tracked the incoming event’s traffic and the payload’s data and trigger. In this sample, the attacker injected an OGNL expression to download and run the script in the victim’s machine. This script file downloaded another script,
Figure 4. IPS event on attack traffic
Figure 5. Payload data captured
  • Web reputation module: Aside from blocking the malicious URL, we also observed the command-and-control (C&C) URL server that the malware was communicating with for the payload download routine.
Figure 6. Blocking the malicious URL
  • Antimalware module: Aside from protecting the targeted system against the exploitation of the vulnerability in real time using behavior monitoring, the antimalware module can also detect and block the download of other components to execute the malware. In this sample, the scripts were downloading the cryptocurrency miner malware hezb.
Figure 7. Detecting the malicious cryptocurrency miner
  • Activity monitoring module: This module detects process, file, and network activities on endpoints running Workload Security. From our analysis, the hezb malware initiated a process to communicate with the C&C server.
Figure 8. Telemetry event of a process initiated by the hezb malware

Tracking the shell scripts

Once the exploit payload is executed in the victim machine, the malware downloads the shell script file. This shell script performs multiple actions and we break it down as follows:

1.      The script updates the path variable to include the /tmp and /dev/shm paths.

Figure 9. Updating the path variable

2.      If the curl utility is not present in the system, the script downloads and installs its own curl binary file from the C&C server.

Figure 10. Function to download the scripts and binaries

3.      Like many other cryptocurrency-mining malware, it disables the iptables or changes the firewall policy action to ACCEPT and flushes all the firewall rules.

Figure 11. Disabling the firewall

4.      The script downloads a binary file ko, which takes the advantage of the PwnKit vulnerability to escalate the privilege to the root user, while the binary file downloads the shell script for the next actions.

Figure 12. Script downloading other resources

5.      The script downloads the hezb malware and kills multiple processes that belong to other competing coin miners, disables cloud service provider agents, and proceeds with lateral movement.

Figure 13. Disabling cloud service provider agents

a.      The script checks for the presence of hezb in the running process. If it is not found, the script downloads the binary file according to the system architecture (such as sys.x86_64), renames it to “hezb”, and communicates with its C&C server hosted at 106[.]252[.]252[.]226 using port 4545.

Figure 14. Downloading the malicious cryptocurrency miner
Figure 15. Detection of hezb connecting to its C&C server using Trend Micro Vision One™

b.      Under the /root and /home directories, the script scans for secure shell protocol (SSH) users, keys, and hosts in the .ssh directory and .bash_history file.

Figure 16. Collecting information for lateral movement via SSH

While doing lateral movement via SSH, the malware also downloads the script on the remote hosts. contains the hard-coded information of the miner wallet address that it needs to communicate with. Upon closer examination, we can see that the script has the same content as and, except for the process where the script simultaneously connects with the miner server and uses different IP addresses and arguments.

Figure 17. Miner connecting to C&C server
Figure 18. Detection of vulnerability exploitation by observed attack techniques (OATs)
Figure 19. Trend Micro Vision One Workbench app detection of correlated events

We analyzed the script capable of changing the attribute of </etc/> to make it mutable. </etc/> does not commonly exist in the usual installation of Linux. The presence of this file and other paths to arbitrary executables could indicate malicious libraries, which also imply the presence of other malware. Making the file mutable clears the contents of the file by changing the file permissions to free the system’s resource because other malicious processes will be unable to work.

We also observed that it can scan the status of all mounted file systems in the </proc/mount> directory.

Figure 20. Tracking the telemetry activity of changing attributes with the Workbench app’s Execution Profile feature


Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises.  Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself. Aside from the hezb malware, we observed Kinsing and the Dark.IoT malware from our honeypot abusing this vulnerability. Reports of cybercriminals exploiting this gap in attempts to deploy malware such as Mirai and web shells such as China Chopper have also emerged, with analyses detailing the abuse of vulnerable servers to spread and expand attacks.

We’ve observed a number of companies who have been hit with the active exploitation of CVE-2022-26134. According to Confluence’s website, over 75,000 customers use the collaboration tool for their business and work operations, which implies that a number of industries could be vulnerable and overwhelmed with attacks if their respective platforms remain unpatched. Organizations who have yet to patch or upgrade their respective subscriptions to a fixed version are advised to apply the recommended mitigation steps from the official documentation released.

Trend Micro solutions

Trend Micro Vision One™ customers are protected from the abuse of this vulnerability and its accompanying malicious payloads via Workload Security with the following rules:

  • 1011456: Atlassian Confluence and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
  • 1008610: Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request

Workload Security’s correlation of telemetry and detections provide initial security context, allowing security teams and analysts to track and monitor the threats activities. In the next section, Trend Micro Vision One provides more details into the paths and events in real time.

Using Trend Micro Vision One, the observed attack techniques (OATs) is generated from individual events that provide security teams and analysts with security value. To investigate the possible attempts of exploitation using this vulnerability, analysts can look for these OAT IDs from the other helper OAT triggers indicative of suspicious activities on the affected host, such as:

  1. F2588 – Atlassian Vulnerability Exploitation
  2. F2358 – Recursive File Deletion via RM Command
  3. F2360 – Process Discovery via PS command
  4. F4584 – Identified Transfer of Suspicious Files Over Network
  5. F3737 – Curl Execution
  6. F4868 – Wget Execution
  7. F2918 – View File via Cat Command
  8. F4986 – Malware Detection
  9. F2140 – Malicious Software
  10. F2681 – Display Users and Groups List
  11. F2763 – Malicious URL

The Trend Micro Vision One Workbench app helps analysts see the significant correlated events intelligently based on occurrences throughout the entire fleet of workloads. Analysts can view the different fields of interest that are considered important and provide security value, allowing security teams to see the compromised assets and isolate those that can be potentially affected while patching procedures are in progress. Using the Execution Profile feature in Vision One, analysts can through the extensive list of actions performed by an adversary from the search app or the threat hunting app to look for different activities observed in a given time frame.

Indicators of Compromise (IOCs)

You can find the full list of IOCs here.

MITRE ATT&CK Techniques

Technique ID
Exploit Public-Facing Application T1190
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1222.002
Hide Artifacts: Hidden Files and Directories T1564.001
Software Discovery T1518
Impair Defenses: Disable or Modify System Firewall T1562.004
Indicator Removal on Host: File Deletion T1070.004
Scheduled Task/Job: Cron T1053.003
Resource Hijacking T1496
System Information Discovery T1082
Remote System Discovery T1018
Remote Services: SSH T1021.004