The critical vulnerability CVE-2023-22527 is being actively exploited for cryptojacking activities, turning affected Confluence Data Center and Server instances into cryptomining networks. Attackers exploit this vulnerability through methods like deploying shell scripts and XMRig miners, targeting SSH endpoints, and maintaining persistence via cron jobs. These attacks involve the execution of remote code on vulnerable systems, allowing unauthorized mining of cryptocurrency by leveraging the affected servers' resources.
Atlassian released a security advisory on January 16, 2024, urging organizations to update their Confluence instances to the latest versions to mitigate this risk. The exploitation involves three main threat actors, with tactics such as killing competing cryptomining processes, deleting cron jobs, and installing new ones for persistence.