Full Report
On 2024-02-15, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Confluence Server to achieve Resource hijacking. The following tools were observed: XMRig, Sliver.
Analysis Summary
# Incident Report: Explosive Confluence Vulnerability Leading to Resource Hijacking
## Executive Summary
On February 15, 2024, an unknown threat actor targeted self-hosted Confluence Servers using a 1-day vulnerability to gain initial access. The primary objective was resource hijacking for cryptocurrency mining using XMRig, though the deployment of the Sliver C2 framework indicates potential for more sophisticated post-exploitation activities.
## Incident Details
- **Discovery Date:** 2024-02-15
- **Incident Date:** Circa February 2024
- **Affected Organization:** Not disclosed (General campaign)
- **Sector:** Various (Users of Confluence Server/Data Center)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Specific date/time not disclosed; reported widely on 2024-02-15.
- **Vector:** Exploitation of a 1-day vulnerability in Atlassian Confluence Server.
- **Details:** Attackers exploited unpatched Confluence environments shortly after vulnerability details were released or identified.
### Lateral Movement
- **Details:** Evidence of the **Sliver C2 framework** suggests the capability for lateral movement through the network, though immediate reports focused on local payload execution.
### Data Exfiltration/Impact
- **Details:** Primary impact involves **Resource Hijacking**. The **XMRig** miner was deployed to drain CPU resources for Monero mining.
### Detection & Response
- **How it was discovered:** Security researchers and monitoring tools identified unauthorized remote code execution (RCE) attempts and the presence of known malware signatures.
- **Response actions taken:** Patching of Confluence servers and termination of malicious processes.
## Attack Methodology
- **Initial Access:** Exploitation of 1-day vulnerability in Atlassian Confluence Server.
- **Persistence:** Implementation via Sliver C2 agents established on the host.
- **Privilege Escalation:** Not explicitly detailed; usually inherent to RCE in Confluence service accounts.
- **Defense Evasion:** Use of legitimate commercial/open-source penetration testing tools (Sliver) to blend with legitimate traffic.
- **Discovery:** Automated scanning for vulnerable Confluence versions.
- **Lateral Movement:** Sliver C2 framework (capable of credential dumping and internal scanning).
- **Collection:** N/A (Focus on resource hijacking).
- **Exfiltration:** N/A.
- **Impact:** Resource Hijacking (Cryptojacking).
## Impact Assessment
- **Financial:** Increased infrastructure costs due to high CPU utilization; potential loss of productivity.
- **Data Breach:** None reported, though Sliver deployment poses a high risk of future breach.
- **Operational:** Degradation of Confluence server performance; service downtime during remediation.
- **Reputational:** Moderate; internal systems shown to be vulnerable to known exploits.
## Indicators of Compromise
- **Network indicators:**
- Communications with known Sliver C2 infrastructure [defanged]
- Connections to mining pools via Stratum protocol [defanged]
- **File indicators:**
- `XMRig` (Cryptominer binary)
- `Sliver` (Cross-platform implant/C2 framework)
- **Behavioral indicators:**
- High CPU spikes on Confluence hosting servers.
- Unusual outbound network traffic on non-standard ports from the application server.
## Response Actions
- **Containment:** Isolated infected Confluence servers from the network.
- **Eradication:** Terminated mining processes and Sliver agent listeners; deleted malicious binaries.
- **Recovery:** Restored server performance and applied security patches provided by Atlassian.
## Lessons Learned
- **Patch Management:** The speed at which "1-day" vulnerabilities are exploited highlights the need for a rapid patching cycle for internet-facing applications.
- **Tooling Overlap:** The presence of both a miner (XMRig) and a sophisticated C2 (Sliver) shows that attackers are increasingly multi-purpose, seeking immediate profit while maintaining long-term access.
## Recommendations
- **Immediate Patching:** Ensure all Atlassian Confluence Server and Data Center instances are updated to the latest secure version.
- **Egress Filtering:** Restrict outbound traffic from servers to only necessary services and ports to prevent C2 communication and mining pool connections.
- **Endpoint Monitoring:** Deploy EDR (Endpoint Detection and Response) to identify the execution of unauthorized binaries like Sliver or XMRig.
- **Vulnerability Scanning:** Implement frequent external scans to identify unpatched, internet-facing assets.