GandCrab attackers exploit recently patched Confluence vulnerability

A group of attackers are actively exploiting a critical vulnerability in Atlassian's Confluence collaboration software to infect servers with the GandCrab ransomware. Confluence is a Java-based web application that provides a shared wiki-type workspace for enterprise employees and is used by tens of thousands of companies worldwide. The vulnerability, tracked as CVE-2019-3396, is in the software's Widget Connector that allows users to embed content from YouTube, Twitter and other websites into web pages.

Attackers can exploit the flaw to inject a rogue template and achieve remote code execution on the server. According to Atlassian's advisory, published March 20, all versions of Confluence Server and Confluence Data Center before versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 are affected.

According to a new report from security firm Alert Logic, proof-of-concept exploit code for the vulnerability was released publicly on April 10 and malicious hackers wasted no time adopting it in attacks. "Within a week of the first exploit code appearing within our data lake we saw the first set of breached customers," the Alert Logic researchers said. "The first of these customers was being directed by the malicious payloads to interact with an IP address which is well known and tracked within our dataset – initially due to it being associated with previous widespread successful exploitation of CVE-2017-10271 (an Oracle Weblogic vulnerability which we have previously talked about). The attackers in control of this IP space seem to have rapidly and successfully added this new vector to their arsenal."

The malicious payload deployed by hackers on compromised Confluence servers downloads a malicious PowerShell script and executes it on the system. That script then downloads a customized version of an open-source PowerShell post-exploitation agent called Empire from a Pastebin page.

The Empire agent is used to inject an executable file called len.exe into the memory of a running process and researchers determined that file to be GandCrab 5.2, a ransomware program that has infected many companies over the past year. GandCrab appeared in January last year and is one of the most widespread ransomware threats currently targeting consumers and businesses. Its creators are offering it to other cybercriminal groups in exchange for a cut of their illicit proceeds.

Ransomware, including GandCrab, has typically been distributed through malicious Office documents attached to phishing emails. Distribution through vulnerabilities in server-type software has been observed in the past, but attackers usually reserve this method for cryptomining programs because those can make better use of the computing power available on such systems.

"This re-emergence of ransomware as the outcome of an unauthenticated remote code execution vulnerability may be an opportunist use of ransomware instead of cryptominers due to the nature of the vulnerability being used," the Alert Logic researchers said. "Given that CVE-2019-3396 targets Confluence (which is a wiki platform) then the application in question will potentially hold valuable company information and may not be sufficiently backed up. The attackers may be making a judgement call that the likelihood of pay-out is a sufficiently higher return than could be expected mining cryptocurrency on the host."

Security researchers have found vulnerabilities in GandCrab's file encryption in the past that allowed them to create free decryption tools for users. However, the authors of this ransomware program remain very active and learn from their mistakes. There is currently no tool available to decrypt files affected by GandCrab version 5.2 which is being used in this attack.