{"id":48530,"date":"2022-09-21T00:00:00","date_gmt":"2022-09-21T00:00:00","guid":{"rendered":"urn:uuid:8d955a73-e93e-1c2a-cf60-589d7b5954d2"},"modified":"2022-09-21T00:00:00","modified_gmt":"2022-09-21T00:00:00","slug":"atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/","title":{"rendered":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-atlassian-confluence-vulnerability-cve-2022-26134-abused-cryptocurrency-mining-other-malware.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,exploits &amp; vulnerabilities,cyber threats,endpoints,mobile,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-09-21\"> <meta property=\"article:tag\" content=\"exploits &amp; vulnerabilities\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html\"> <title>Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware <\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html\"><br \/>\n<meta property=\"og:title\" content=\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware \"><br \/>\n<meta property=\"og:description\" content=\"Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-atlassian-confluence-vulnerability-cve-2022-26134-abused-cryptocurrency-mining-other-malware.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware \"><br \/>\n<meta name=\"twitter:description\" content=\"Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-atlassian-confluence-vulnerability-cve-2022-26134-abused-cryptocurrency-mining-other-malware.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.112305025997\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1275183084\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7890625\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.109375\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits &amp; Vulnerabilities<\/p>\n<p class=\"article-details__description\">Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti <time class=\"article-details__date\">September 21, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"35.599775784753\">\n<div readability=\"17.556053811659\">\n<p>We observed the active exploitation of <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-26134\">CVE-2022-26134<\/a>, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining. Confluence has already <a href=\"https:\/\/confluence.atlassian.com\/doc\/confluence-security-advisory-2022-06-02-1130377146.html\">released<\/a> a security advisory detailing the fixes necessary for all affected products, namely all versions of Confluence Server and Confluence Data Center. If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware. Users and organizations are advised to upgrade to the fixed versions, apply the available patches, or to apply temporary fixes as soon as possible to mitigate the risks of abuse.<\/p>\n<p><span class=\"body-subhead-title\">Abusing the gap<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure1-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig1-atlassian-confluence-vulnereability-abused-for-crypto-mining-other-malware\"><figcaption>Figure 1. Infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the HTTP request Uniform Resource Identifier (URI) to the victim server, resulting in an RCE.<\/p>\n<p>To identify whether the installed Confluence Server is vulnerable, the attacker can send an HTTP request to run an <i>id<\/i> command. Upon successful exploitation, the attacker can read its response in a controlled HTTP response header. From the sample we analyzed, executing the <i>id<\/i> command yielded an output of \u201cX-Cmd-Response&#8221; header \u2014 the vulnerable server will execute the command and set its response in the attacker-defined header.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure2-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig2-atlassian-confluence-vulnerability-abused-for-crypto-mining-other-malware\"><figcaption>Figure 2. Attacker sends a malicious request to check for user information<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure3-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig3-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 3. The response to the attacker\u2019s malicious request<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><span class=\"body-subhead-title\">Looking at the malware routine<\/span><\/p>\n<p>Using Trend Micro Cloud One\u2122 &nbsp;Workload Security modules to track the components and activities of the cryptocurrency malware used, we observed the following events and components:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Intrusion Prevention System (IPS)<\/b>: Aside from blocking the exploitation of CVE-2022-26134 and other application vulnerabilities, IPS also tracked the incoming event\u2019s traffic and the payload\u2019s data and trigger. In this sample, the attacker injected an OGNL expression to download and run the <i>ro.sh<\/i> script in the victim\u2019s machine. This script file downloaded another script, <i>ap.sh<\/i>.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure4-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig4-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 4. IPS event on attack traffic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure5-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig5-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 5. Payload data captured<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Web reputation module<\/b>: Aside from blocking the malicious URL, we also observed the command-and-control (C&amp;C) URL server that the malware was communicating with for the payload download routine.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure6-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig6-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 6. Blocking the malicious URL<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Antimalware module<\/b>: Aside from protecting the targeted system against the exploitation of the vulnerability in real time using behavior monitoring, the antimalware module can also detect and block the download of other components to execute the malware. In this sample, the scripts were downloading the cryptocurrency miner malware hezb.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure7-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig7-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 7. Detecting the malicious cryptocurrency miner<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Activity monitoring module<\/b>: This module detects process, file, and network activities on endpoints running Workload Security. From our analysis, the hezb malware initiated a process to communicate with the C&amp;C server.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure8-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig8-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 8. Telemetry event of a process initiated by the hezb malware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b>Tracking the shell scripts<\/b><\/p>\n<p>Once the exploit payload is executed in the victim machine, the malware downloads the <i>ro.sh\/ap.sh<\/i> shell script file. This shell script performs multiple actions and we break it down as follows:<\/p>\n<p>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The script updates the path variable to include the <i>\/tmp<\/i> and <i>\/dev\/shm<\/i> paths.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure9-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig9-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 9. Updating the path variable<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If the curl utility is not present in the system, the script downloads and installs its own curl binary file from the C&amp;C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure10-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig10-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 10. Function to download the scripts and binaries<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Like many other cryptocurrency-mining malware, it disables the <i>iptables<\/i><b> <\/b>or changes the firewall policy action to <i>ACCEPT<\/i><b> <\/b>and flushes all the firewall rules.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure11-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig11-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 11. Disabling the firewall<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.079646017699\">\n<div readability=\"10.026548672566\">\n<p>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The script downloads a binary file <i>ko,<\/i> which takes the advantage of the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one.html\"><b>PwnKit vulnerability<\/b><\/a><b> <\/b>to escalate the privilege to the root user, while the binary file downloads the <i>ap.sh<\/i> shell script for the next actions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure12-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig12-atlassian-confluence-vuln-abused-for-crypto-mining-other-mlaware\"><figcaption>Figure 12. Script downloading other resources<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The <i>ap.sh<\/i> script downloads the hezb malware and kills multiple processes that belong to other competing coin miners, disables cloud service provider agents, and proceeds with lateral movement.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure13-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"figure13-atlassian-confluence-vulnerability-abused-for-crypto-mining-other-malware\"><figcaption>Figure 13. Disabling cloud service provider agents<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The <i>ap.sh<\/i> script checks for the presence of hezb in the running process. If it is not found, the script downloads the binary file according to the system architecture (such as sys.x86_64), renames it to \u201chezb&#8221;, and communicates with its C&amp;C server hosted at 106[.]252[.]252[.]226 using port 4545.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure14-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig14-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 14. Downloading the malicious cryptocurrency miner<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure15-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig15-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 15. Detection of hezb connecting to its C&amp;C server using Trend Micro Vision One\u2122<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Under the <i>\/root<\/i> and <i>\/home<\/i> directories, the script scans for secure shell protocol (SSH) users, keys, and hosts in the <i>.ssh<\/i> directory and <i>.bash_history<\/i> file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure16-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig16-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 16. Collecting information for lateral movement via SSH<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>While doing lateral movement via SSH, the malware also downloads the <i>ldr.sh<\/i> script on the remote hosts. <i>ldr.sh<\/i> contains the hard-coded information of the miner wallet address that it needs to communicate with. Upon closer examination, we can see that the <i>ldr.sh <\/i>script has the same content as <i>ro.sh<\/i> and <i>ap.sh<\/i>, except for the process where the script simultaneously connects with the miner server and uses different IP addresses and arguments.&nbsp;&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure17-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig17-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 17. Miner connecting to C&amp;C server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure18-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig18-atlassian-confluence-abused-for-crypto-mining-other-malware\"><figcaption>Figure 18. Detection of vulnerability exploitation by observed attack techniques (OATs)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure19-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig19-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 19. Trend Micro Vision One Workbench app detection of correlated events<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>We analyzed the script capable of changing the attribute of &lt;\/etc\/ld.so.preload&gt; to make it mutable. &lt;\/etc\/ld.so.preload&gt; does not commonly exist in the usual installation of Linux. The presence of this file and other paths to arbitrary executables could indicate malicious libraries, which also imply the presence of other malware. Making the file mutable clears the contents of the file by changing the file permissions to free the system\u2019s resource because other malicious processes will be unable to work.<\/p>\n<p>We also observed that it can scan the status of all mounted file systems in the &lt;\/proc\/mount&gt; directory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/figure20-atlassian-confluence-cve-2022-26134-abused-cryptocurrency-mining-other-malware.png\" alt=\"fig20-atlassian-confluence-vuln-abused-for-crypto-mining-other-malware\"><figcaption>Figure 20. Tracking the telemetry activity of changing attributes with the Workbench app\u2019s Execution Profile feature<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"51.778107306552\">\n<div readability=\"49.312483149097\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises. &nbsp;Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself. Aside from the hezb malware, we observed <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/k\/analysis-of-kinsing-malwares-use-of-rootkit.html\">Kinsing<\/a> and the <a href=\"https:\/\/www.lacework.com\/blog\/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134\/\">Dark.IoT<\/a> malware from our honeypot abusing this vulnerability. Reports of cybercriminals exploiting this gap in attempts to deploy malware such as Mirai and web shells such as <a href=\"https:\/\/cyberint.com\/blog\/research\/cve-2022-26134\/\">China Chopper<\/a> have also emerged, with analyses detailing the abuse of vulnerable servers to spread and expand attacks.<\/p>\n<p>We\u2019ve observed a number of companies who have been hit with the active exploitation of CVE-2022-26134. According to Confluence\u2019s website, over <a href=\"https:\/\/www.atlassian.com\/software\/confluence\">75,000<\/a> customers use the collaboration tool for their business and work operations, which implies that a number of industries could be vulnerable and overwhelmed with attacks if their respective platforms remain unpatched. Organizations who have yet to patch or upgrade their respective subscriptions to a fixed version are advised to apply the recommended mitigation steps from the official <a href=\"https:\/\/confluence.atlassian.com\/doc\/confluence-security-advisory-2022-06-02-1130377146.html\">documentation<\/a> released.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro solutions<\/span><\/p>\n<p>Trend Micro Vision One\u2122 customers are protected from the abuse of this vulnerability and its accompanying malicious payloads via Workload Security with the following rules:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">1011456: Atlassian Confluence and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">1008610:&nbsp;Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request<\/span><\/li>\n<\/ul>\n<p>Workload Security\u2019s correlation of telemetry and detections provide initial security context, allowing security teams and analysts to track and monitor the threats activities. In the next section, Trend Micro Vision One provides more details into the paths and events in real time.<\/p>\n<p>Using Trend Micro Vision One, the observed attack techniques (OATs) is generated from individual events that provide security teams and analysts with security value. To investigate the possible attempts of exploitation using this vulnerability, analysts can look for these OAT IDs from the other helper OAT triggers indicative of suspicious activities on the affected host, such as:<\/p>\n<ol>\n<li>F2588 &#8211; Atlassian Vulnerability Exploitation<\/li>\n<li>F2358 &#8211; Recursive File Deletion via RM Command&nbsp;<\/li>\n<li>F2360 &#8211; Process Discovery via PS command&nbsp;<\/li>\n<li>F4584 &#8211; Identified Transfer of Suspicious Files Over Network&nbsp;<\/li>\n<li>F3737 &#8211; Curl Execution&nbsp;<\/li>\n<li>F4868 &#8211; Wget Execution&nbsp;<\/li>\n<li>F2918 &#8211; View File via Cat Command&nbsp;<\/li>\n<li>F4986 &#8211; Malware Detection&nbsp;<\/li>\n<li>F2140&nbsp;&#8211; Malicious Software&nbsp;<\/li>\n<li>F2681 &#8211; Display Users and Groups List&nbsp;<\/li>\n<li>F2763 &#8211; Malicious URL<\/li>\n<\/ol>\n<p>The Trend Micro Vision One Workbench app helps analysts see the significant correlated events intelligently based on occurrences throughout the entire fleet of workloads. Analysts can view the different fields of interest that are considered important and provide security value, allowing security teams to see the compromised assets and isolate those that can be potentially affected while patching procedures are in progress. Using the Execution Profile feature in Vision One, analysts can through the extensive list of actions performed by an adversary from the search app or the threat hunting app to look for different activities observed in a given time frame.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>You can find the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/IOCs-atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&amp;CK Techniques<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"8.5\">\n<tr>\n<th scope=\"col\">Technique<\/th>\n<th scope=\"col\">ID<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td>Exploit Public-Facing Application<\/td>\n<td>T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Hijack Execution Flow:&nbsp;Path Interception by PATH Environment Variable<\/td>\n<td>T1574.007<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>File and Directory Permissions Modification:&nbsp;Linux and Mac File and Directory Permissions Modification<\/td>\n<td>T1222.002<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Hide Artifacts:&nbsp;Hidden Files and Directories<\/td>\n<td>T1564.001<\/td>\n<\/tr>\n<tr>\n<td>Software Discovery<\/td>\n<td>T1518<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Impair Defenses: Disable or Modify System Firewall<\/td>\n<td>T1562.004<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Indicator Removal on Host: File Deletion<\/td>\n<td>T1070.004<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Scheduled Task\/Job:&nbsp;Cron<\/td>\n<td>T1053.003<\/td>\n<\/tr>\n<tr>\n<td>Resource Hijacking<\/td>\n<td>T1496<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>System Information Discovery<\/td>\n<td>T1082<\/td>\n<\/tr>\n<tr>\n<td>Remote System Discovery<\/td>\n<td>T1018<\/td>\n<\/tr>\n<tr>\n<td>Remote Services:&nbsp;SSH<\/td>\n<td>T1021.004<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":48531,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9555,9513,9581],"class_list":["post-48530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-mobile"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-atlassian-confluence-vulnerability-cve-2022-26134-abused-cryptocurrency-mining-other-malware.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware\",\"datePublished\":\"2022-09-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/\"},\"wordCount\":1775,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Mobile\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/\",\"name\":\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png\",\"datePublished\":\"2022-09-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png\",\"width\":1667,\"height\":1147},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/","og_locale":"en_US","og_type":"article","og_title":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-09-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-atlassian-confluence-vulnerability-cve-2022-26134-abused-cryptocurrency-mining-other-malware.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware","datePublished":"2022-09-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/"},"wordCount":1775,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Mobile"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/","url":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/","name":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png","datePublished":"2022-09-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.png","width":1667,"height":1147},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48530"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48530\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/48531"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}