AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks and Cryptocurrency Mining (Apr 26, 2019)
An "AESDDoS" botnet malware has been identified exploiting a server-side template injection vulnerability, registered as "CVE-2019-3396," according to Trend Micro researchers. The vulnerability resides in the Widget Connector macro located in the project management software, Atlassian Confluence Server. In exploiting this vulnerability, an attacker was able to infect machines with AESDDoS botnet malware using a remotely executed shell script to download multiple shell scripts to download the malware. This malware has the ability to send and receive remote shell commands that can be used to load cryptocurrency miners to affected machines, launch various types of Distributed-Denial-of-Service (DDoS) attacks, and steal system data.
Recommendation: Atlassian is advising users to upgrade to the latest version, 6.15.1, to avoid potential exploitation of this vulnerability. A machine whose fan seems to constantly be running could be an indication that it is infected with a crypto-mining malware. Your company should have patch policies in place to monitor all systems for potential vulnerabilities that could be exploited by threat actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.