Summary:
Trend Micro researchers identified a complex attack exploiting the Atlassian Confluence vulnerability CVE-2023-22527, allowing attackers to achieve remote code execution (RCE) to install cryptomining software on compromised systems using the Titan Network. By exploiting Confluence's vulnerability, attackers gained unauthenticated access to execute reconnaissance commands, gathering details about each machine's IP, operating system, directories, disk space, and memory. They used public IP lookup services to identify external addresses, allowing them to understand the machine's network environment.

Following reconnaissance, the attackers downloaded a series of shell scripts designed to establish a persistent connection with the Titan Network. Initial scripts installed Titan binaries, configuring environment variables to ensure their functionality, possibly obscuring some commands to evade detection. This process also bound the compromised machine to the attacker's Titan identity, allowing them to register the victim's machine on the Titan Network and claim reward tokens for the machine's participation. Additional scripts then installed a mining client, linking to a specific mining pool for further cryptomining activities.

Security Officer Comments:
The attackers also set up SSH keys and modified SSH configurations, enabling them to move laterally within AWS environments by targeting SSH connections across EC2 instances. By embedding their public SSH key and configuring the SSH daemon, they gained persistent access, potentially allowing them to expand their control across interconnected cloud resources. To maintain remote control, the attackers established a reverse shell connection, linking compromised systems to a command-and-control (C&C) server over a common web port. This shell gave them an additional layer of remote access to execute commands directly, reinforcing their control over the systems.

Suggested Corrections:

IOCs:
https://www.trendmicro.com/en_us/research/24/j/titan-network.html


Patch Management: Ensure timely patching of known vulnerabilities like CVE-2023-22527 across all systems, especially those publicly accessible. Enable automatic updates wherever feasible, and prioritize critical updates for internet-facing applications like Confluence.


Network Segmentation and Access Control: Segment critical infrastructure from general network traffic, reducing the potential reach of unauthorized access. Implement strict access controls and role-based access for applications, especially sensitive cloud environments like AWS EC2 instances.


Endpoint and Cloud Security: Deploy endpoint detection and response solutions to monitor for unusual behaviors, such as cryptomining installations, SSH modifications, or persistent remote access. Ensure cloud security configurations are regularly reviewed and apply security monitoring to cloud services to detect lateral movement attempts.


File and Process Monitoring: Use file integrity monitoring tools to detect unexpected changes, including unauthorized shell script downloads or system command executions. Enable process monitoring to detect suspicious system commands and behaviors, such as large numbers of outgoing requests or connections to unknown servers.


DNS and IP Filtering: Implement DNS filtering to block connections to known malicious IP addresses and domains. Monitor outbound traffic for unusual patterns, such as connections to cryptocurrency mining pools or command-and-control servers.

Link(s):
https://www.trendmicro.com/en_us/research/24/j/titan-network.html