{"id":56952,"date":"2024-08-28T00:00:00","date_gmt":"2024-08-28T00:00:00","guid":{"rendered":"urn:uuid:d6eb49aa-8f60-59eb-7f51-a536dcb8d707"},"modified":"2024-08-28T00:00:00","modified_gmt":"2024-08-28T00:00:00","slug":"cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/","title":{"rendered":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We provide a technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim\u2019s system.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,exploits &amp; vulnerabilities,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-08-28\"> <meta property=\"article:tag\" content=\"exploits &amp; vulnerabilities\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/cve-2023-22527-cryptomining.html\"> <title>Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/cve-2023-22527-cryptomining.html\"><br \/>\n<meta property=\"og:title\" content=\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem\"><br \/>\n<meta property=\"og:description\" content=\"We provide a technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim\u2019s system.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/cve-2023-22527-cryptomining.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem\"><br \/>\n<meta name=\"twitter:description\" content=\"We provide a technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim\u2019s system.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/cve-2023-22527-cryptomining.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.320659642694\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2073383603\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7645348837209\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.005813953488\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits &amp; Vulnerabilities<\/p>\n<p class=\"article-details__description\">A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim\u2019s system.\n<\/p>\n<p class=\"article-details__author-by\">By: Abdelrahman Esmail <time class=\"article-details__date\">August 28, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"41.984848484848\">\n<div readability=\"29.636363636364\">\n<ul>\n<li><span class=\"rte-red-bullet\">The critical vulnerability CVE-2023-22527 is actively being exploited for cryptojacking activities, turning affected environments into cryptomining networks.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations are advised to update their Confluence instances to the latest versions and implement security best practices and tools to defend their systems.<br \/>&nbsp;<\/span><\/li>\n<\/ul>\n<p>On Jan 16, 2024, Atlassian released a security advisory for <a href=\"https:\/\/confluence.atlassian.com\/security\/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html\">CVE-2023-22527<\/a>, a critical (score of 10) vulnerability &nbsp;that affects Confluence Data Center and Confluence Server, which are enterprise-level deployments of Atlassian Confluence, a collaboration and documentation platform designed for teams and organizations to create, share, and collaborate on content.<\/p>\n<p>In a previous <a href=\"https:\/\/www.trendmicro.com\/en_dk\/research\/24\/b\/unveiling-atlassian-confluence-vulnerability-cve-2023-22527--und.html\">blog<\/a> entry, we provided a brief technical breakdown of CVE-2023-22527 and how a threat actor can potentially exploit it for malicious activities. Meanwhile, in this article, we will examine how attackers have been exploiting the vulnerability to launch cryptojacking attacks.<\/p>\n<p>By abusing CVE-2023-22527, an unauthenticated attacker has the potential to exploit a template injection vulnerability found in older versions of Confluence Data Center and Server, essentially enabling remote code execution (RCE) on the affected instance.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">Product<\/th>\n<th scope=\"col\">Affected versions<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>Confluence Data Center and&nbsp;Server<\/td>\n<td height=\"20\" width=\"64\">8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0-8.5.3<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><sup>Table 1. Affected Confluence Data Center and Confluence Server versions<\/sup><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>We observed this vulnerability being weaponized for cryptomining activities. In addition, we noticed a high number of exploitations attempts since from mid-June to the end of July, 2024.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig1.png\" alt=\"Figure 1. DS-1011954 exploitation attempt hits for Deep Security\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. DS-1011954 exploitation attempt hits for Deep Security<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig2.png\" alt=\"Figure 2. C1WS-1011954 exploitation attempt hits for Cloud One Workload Security\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. C1WS-1011954 exploitation attempt hits for Cloud One Workload Security<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig3.png\" alt=\"Figure 3. TP-43721 exploitation attempt hits for TippingPoint\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. TP-43721 exploitation attempt hits for TippingPoint<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>We observed three main threat actors exploiting CVE-2023-22527 via malicious scripts. &nbsp;The first threat actor using the XMRig miner to execute miner activity via an ELF file payload (shown in figure 4).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig4.png\" alt=\"Figure 4. The malicious request from the first threat actor\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. The malicious request from the first threat actor<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The attack chain used by the first threat actor is as follows:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"d4f03c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig5.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig5.png\" alt=\"Figure 5. Attack chain used in the first attack vector\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Attack chain used in the first attack vector<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"6dc841\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig6.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig6.png\" alt=\"Figure 6. Attack chain used in the second attack vector\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Attack chain used in the second attack vector<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Meanwhile, the second threat actor used a shell script to execute miner activity through a shell file over Secure Shell (SSH) for all accessible endpoints in the customer environment. As shown in Figure 6, the attacker downloaded the shell file and ran it with bash&nbsp;from memory.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig7.png\" alt=\"Figure 7. The malicious request from the second threat actor\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. The malicious request from the second threat actor<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>We analyzed this script, which revealed the following behaviors:<\/p>\n<p>First, the script kills known cryptomining processes and any process being run from <i>*\/tmp\/*<\/i> directories.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig8.png\" alt=\"Figure 8. Killing processes related to known malware and any process being run from tmp directories \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Killing processes related to known malware and any process being run from tmp directories <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Next, it deletes all cron jobs, and adds a new one that runs every five minutes to check for command-and-control (C&amp;C) server connectivity.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig9.png\" alt=\"Figure 9. Function to clear cron jobs and maintain access on the server using scheduled task via contrab\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Function to clear cron jobs and maintain access on the server using scheduled task via contrab<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The <i>der<\/i> function is responsible for uninstalling security services such as Alibaba Cloud Shield, while also blocking the Alibaba Cloud Shield IP address. Meanwhile, the <i>elif<\/i> condition is used to uninstall Tencent Cloud mirrors.<br \/><i><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig10.png\" alt=\"Figure 10. Process termination for security services\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Process termination for security services<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Using the <i>localgo<\/i> function, the attacker identifies the current machine&#8217;s IP address and gathers all possible users, IP addresses, and keys from sources such as the user\u2019s bash history, SSH configurations, and known hosts. This information is used to target other remote systems via SSH to execute cryptomining activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"82a6eb\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig11.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig11.png\" alt=\"Figure 11: Setting the \u201clocalgo\u201d function which uses SSH to brute force all available local endpoints to spread cryptomining scripts in the local network\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11: Setting the \u201clocalgo\u201d function which uses SSH to brute force all available local endpoints to spread cryptomining scripts in the local network<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>After the collecting the needed information, the attacker starts to automate cryptomining activities on other hosts via SSH:<\/p>\n<p><span class=\"blockquote\">ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp &#8220;command\u201d<br \/>oStrictHostKeyChecking=no: Automatically accepts the host key without host verification.<br \/>oBatchMode=yes: Disables interactive password prompts.<br \/>oConnectTimeout=3: Sets a 3-second timeout for the connection attempt.<\/span><\/p>\n<p>For the next function, <i>cron<\/i>, the attacker adds multiple cron jobs under different names (<i>whoami<\/i>, <i>nginx<\/i>, <i>apache<\/i>) in different locations (<i>init.d<\/i>, <i>cron.hourly<\/i>, <i>cron.d<\/i>) to maintain access to the server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"3bec8b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig12.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig12.png\" alt=\"Figure 12. Maintaining access via cron\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Maintaining access via cron<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>After ensuring that all cloud monitoring and security services are terminated or deleted, the attacker terminates the entry point process that exploits CVE-2023-22527 and downloads the XMRig miner to begin mining activities.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"b15ff9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig13.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig13.png\" alt=\"Figure 13. Downloading the mining configuration file and starting another shell (solr.sh) to begin mining activities\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Downloading the mining configuration file and starting another shell (solr.sh) to begin mining activities<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Before starting mining activities, the attacker uses the <i>solr.sh <\/i>function to ensure that all security tools that do not exist in the previous shell are terminated.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"31d9ce\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig14.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig14.png\" alt=\" Figure 14. The Attacker terminating and deleting known security tools and mining processes\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 14. The Attacker terminating and deleting known security tools and mining processes<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Finally, for the last step in main <i>rnv2ymcl<\/i>, the attacker removes all their traces by clearing log and bash history.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig15.png\" alt=\" Figure 15: Clearing activities from the affected server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption> Figure 15: Clearing activities from the affected server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The following image shows the wallet information we gathered from the JSON file:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig16.png\" alt=\"Figure 16. Wallet information from the JSON file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. Wallet information from the JSON file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"45.359237536657\">\n<div readability=\"36.484604105572\">\n<p>With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide. To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible.<\/p>\n<p>Furthermore, organizations should consider implementing the following best practices for general vulnerability exploit protection:<\/p>\n<p><b>Patch Management:<\/b> Regularly updating and patching software, operating systems, and applications is the most effective method of preventing vulnerabilities from being exploited.<\/p>\n<p><b>Network Segmentation:<\/b> Isolating critical network segments from the broader network can reduce the impact of exploit-based attacks.<\/p>\n<p><b>Regular Security Audits:<\/b> Conducting security audits and vulnerability assessments can help uncover and address weaknesses in the infrastructure before they are exploited.<\/p>\n<p><b>Incident Response Plan:<\/b> Creating, testing, and maintaining an incident response plan helps organizations respond swiftly and effectively to security breaches and exploit attempts.<\/p>\n<p>Implementing network-based access controls, using intrusion prevention systems like <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">Trend Vision One\u2122<\/a>, and performing regular vulnerability scans can further bolster security.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig17-1.png\" alt=\"Figure 17. Honeypot trigger 1 (top) and 2 (bottom)\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/fig17-2.png\" alt=\"Figure 17. Honeypot trigger 1 (top) and 2 (bottom)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. Honeypot trigger 1 (top) and 2 (bottom)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.723865877712\">\n<div readability=\"14.881656804734\">\n<h2><span class=\"body-subhead-title\">Vision hunting queries<\/span><\/h2>\n<p>The following text lists potentially useful queries for threat hunting within Vision One:<\/p>\n<p><b>Hunting SSH lateral movement using suspicious flags<\/b><br \/><span class=\"blockquote\"><b>eventSubId: 2 AND processCmd:ssh AND processCmd:oStrictHostKeyChecking AND processCmd:oBatchMode<\/b><\/span><b><\/b><\/p>\n<p><b>Hunting for malicious echo updating or adding new cron activities<\/b><br \/><span class=\"blockquote\"><b>eventSubId: 2 AND (processCmd:cron OR objectCmd:cron) AND (processCmd:echo OR objectCmd:echo)<\/b><\/span><\/p>\n<p>The indicators of compromise can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/cve-2023-22527-cryptomining\/cryptojacking-via-CVE-2023-22527-ioc.txt\">here<\/a>.<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&amp;CK<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"3\">\n<tr>\n<th scope=\"col\">Tactic<\/th>\n<th scope=\"col\">Technique<\/th>\n<th scope=\"col\">Technique ID<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"246\">Initial Access<\/td>\n<td width=\"246\">Exploit Public-Facing Application<\/td>\n<td width=\"246\">T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"2\" height=\"36\" width=\"246\">Execution<\/td>\n<td rowspan=\"2\" width=\"246\">Command and Scripting Interpreter: Unix Shell<\/td>\n<td rowspan=\"2\" width=\"246\">T1059.004<\/td>\n<\/tr>\n<tr><\/tr>\n<tr>\n<td rowspan=\"4\" height=\"72\" width=\"246\">Defense Evasion<\/td>\n<td width=\"246\">Disable or Modify Tools<\/td>\n<td width=\"246\">T1562.001<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" height=\"36\" width=\"246\">Clear Command History<\/td>\n<td rowspan=\"2\" width=\"246\">T1070.003<\/td>\n<\/tr>\n<tr><\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"246\">Clear Linux or Mac System Logs<\/td>\n<td width=\"246\">T1070.002<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" height=\"36\" width=\"246\">Command and Control<\/td>\n<td rowspan=\"2\" width=\"246\">Ingress Tool Transfer<\/td>\n<td rowspan=\"2\" width=\"246\">T1105<\/td>\n<\/tr>\n<tr><\/tr>\n<tr>\n<td height=\"18\" width=\"246\">Persistence<\/td>\n<td width=\"246\">Scheduled Task\/Job: Cron<\/td>\n<td width=\"246\">T1053.003<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"246\">Collection<\/td>\n<td width=\"246\">Data from Local System<\/td>\n<td width=\"246\">T1005<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"246\">Impact<\/td>\n<td width=\"246\">Resource Hijacking<\/td>\n<td width=\"246\">T1496&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/cve-2023-22527-cryptomining.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim\u2019s system. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9555,9513,9509],"class_list":["post-56952","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-28T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem\",\"datePublished\":\"2024-08-28T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/\"},\"wordCount\":1201,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2023-22527-cryptomining:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/\",\"name\":\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2023-22527-cryptomining:Large?qlt=80\",\"datePublished\":\"2024-08-28T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2023-22527-cryptomining:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/cve-2023-22527-cryptomining:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/","og_locale":"en_US","og_type":"article","og_title":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-08-28T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem","datePublished":"2024-08-28T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/"},"wordCount":1201,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/","url":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/","name":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80","datePublished":"2024-08-28T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/cve-2023-22527-cryptomining:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cryptojacking-via-cve-2023-22527-dissecting-a-full-scale-cryptomining-ecosystem\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56952"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56952\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}