A group of attackers are actively exploiting a critical vulnerability in Atlassian’s Confluence collaboration software to inject trojans and infect servers with the GandCrab ransomware. Confluence is a Java-based web application that provides a shared wiki-type workspace for enterprise employees and is used by tens of thousands of companies worldwide.
The vulnerability, tracked as CVE-2019-3396, is in the software’s Widget Connector that allows users to embed content from YouTube, Twitter and other websites into web pages.
Attackers can exploit the flaw to inject a rogue template and achieve remote code execution on the server. According to Atlassian’s advisory, published March 20, all versions of Confluence Server and Confluence Data Center before versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 are affected.
According to a report from a renowned security firm, proof-of-concept exploit code for the vulnerability was released publicly on April 10 and malicious hackers wasted no time adopting it in attacks. “Within a week of the first exploit code appearing within our data lake we saw the first set of breached customers,” the security researchers said.
The first of these customers was being directed by the malicious payloads to interact with an IP address which is well known and tracked within their dataset – initially due to it being associated with previous widespread successful exploitation of CVE-2017-10271 (an Oracle Weblogic vulnerability which we have previously talked about). The attackers in control of this IP space seem to have rapidly and successfully added this new vector to their arsenal.
The malicious payload deployed by hackers on compromised Confluence servers downloads a malicious PowerShell script to inject trojans and executes it on the system. That script then downloads a customized version of an open-source PowerShell post-exploitation agent called Empire from a Pastebin page.
The Empire agent is used to inject an executable file called len.exe into the memory of a running process and researchers determined that file to be GandCrab 5.2, a ransomware program that has infected many companies over the past year.
GandCrab appeared in January last year and is one of the most widespread ransomware threats currently targeting consumers and businesses. Its creators are offering it to other cybercriminal groups in exchange for a cut of their illicit proceeds.
Ransomware, including GandCrab, has typically been distributed through malicious Office documents attached to phishing emails.
Distribution through vulnerabilities in server-type software has been observed in the past, but attackers usually reserve this method for cryptomining programs because those can make better use of the computing power available on such systems.
There is currently no tool available to decrypt files affected by GandCrab version 5.2 which is being used in this attack.