CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Minor with Rootkit (May 7, 2019)
Alert Logic has identified a vulnerability, registered as “CVE-2019-3396,” in Atlassian Confluence Server being exploited in the wild. The vulnerability resides in the “Widget Connector” macro and is being exploited to drop “Gandcrab” ransomware. Along with dropping ransomware, attackers are also exploiting the vulnerability to deliver cryptocurrency-mining malware combined with a rootkit. The rootkit enables the attacker to avoid detection. The attack utilizes Pastebin as a Command and Control (C2) server to download malicious scripts and an actor-controlled domain to download and execute malware.
Recommendation: The security update should be applied as soon as possible because of the critical rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.