Trend Micro and Alert Logic are speaking about a critical Atlassian Confluence Server vulnerability that is being remotely exploited by attackers to compromise both Linux and Windows servers, allowing them to drop GandCrab ransomware and the Dofloo (aka AES.DDoS, Mr. Black) Trojan.
Attackers are exploiting a critical Atlassian Confluence Server #vulnerability, infecting Linux and Windows servers with the infamous GandCrab #ransomware in the process: https://t.co/JDxg860SQT @bbb1216bbb @SCMagazine
— Veracode (@Veracode) April 29, 2019
The #AESDDoS botnet malware variant that we discovered abusing a vulnerability in Atlassian Confluence Server can load #cryptocurrency miners on affected machines. Analysis: https://t.co/KoT6N4640m
— Trend Micro Research (@TrendMicroRSRCH) April 29, 2019
Experts Comments:
Mounir Hahad, Head of the Juniper Threat Labs at Juniper Networks:
“Atlassian uses two different deployment models: some customers use their cloud SaaS business model and some deploy an in-house instance of the popular collaboration tool. The danger lies on the in-house deployments. Even then, most collaboration tools are internal to their organizations and present no public interface on the internet. Those are less likely to be compromised since a threat actor would first need to penetrate the private network then move laterally to take over an Atlassian deployment.
On the other hand, those deployment meant for collaboration across organizations, with a publicly facing web access are at risk. This situation is no different from any other web server vulnerability: it is imperative to quickly upgrade to a more recent version of the product which includes a patch to the vulnerability as well as assess your internal network for any signs that it might already have been compromised.”
Pankaj Parekh, Chief Product & Strategy Officer at SecurityFirst:
“There are many attack vectors, and hackers are quick to notice them and act on them. In this case it’s a Widget Connector macro in an unpatched Atlassian Confluence Server which allows an attacker to execute code on the server. Once a server is compromised, and attacker could choose to go after anything – including critical private data. We continue to advise our customers to protect their data where it is stored, so when the inevitable hack happens, the data can’t be stolen or corrupted.”
