Tuesday, July 14, 21:15
Home security Vulnerability in Atlassian Confluence is used to install GandCrab

Vulnerability in Atlassian Confluence is used to install GandCrab

GandCrabResearchers found that a team hackers exploits a critical vulnerability in its Confluence software Atlassian to install trojans and to infects victim servers with ransomware GandCrab.

Confluence software is a web application based on Java and used by thousands Companies worldwide.

Vulnerability is called CVE-2019-3396 and is located in the software's "Widget Connector". This point allows users to embed YouTube content, Twitter and other pages.

Attackers exploit the vulnerability to introduce malware and manage remote access and execute code in server. According to researchers, all versions of Confluence Server and Confluence Data Center before 6.6.12, 6.12.3, 6.13.3 and 6.14.2, they are vulnerable and therefore allow GandCrab to be installed.

According to a security company report, the proof-of-concept exploit code for vulnerability was released publicly on 10 April. The hackers wasted no time and used it right away attacks. The researchers they said that the first victims appeared in the first week.

The malicious payload, used by hackers on vulnerable Confluence servers, downloads and executes a malicious PowerShell script, aimed at infusing trojans. Next, this script downloads a special version of an open-source PowerShell agent called Empire.

Empire agent is used to inject an executable file (len.exe) into the memory of a current process. Researchers have discovered that this file is GandCrab 5.2, a ransomware program that has infected many companies lately.

In fact, GandCrab is one of the most widespread ransomware currently. It first appeared last January and has targeted a large number users and business. Its creators offer it to other groups as well criminals to carry out attacks.

Many ransomware, including GandCrab, is usually spread through malicious Office documents included in phishing emails.

Distribution by exploiting vulnerabilities in server-type software has been observed in the past. But in most cases, hackers use this method of distribution cryptomining programs.

Currently, there is no tool available to decrypt the files affected by the GandCrab 5.2 version.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Miahttps://www.secnews.gr
Being your self, in a world that constantly tries to change you, is your greatest achievement


Spotify: Finally reshaping its podcast charts

Spotify is reshaping its podcast charts to help listeners find new shows and watch local news ...

Find out if you have been hacked and what to do about it

Hacking attacks are a daily occurrence with many victims worldwide. Everyone is vulnerable to cyber hackers, but the threats do not ...

ISIS accounts continue Facebook propaganda

According to a new research, some accounts connected to the terrorist group ISIS, still exist on Facebook, without becoming ...

US and UK: Dealing with major cyber attacks

The United States, the United Kingdom, India and Germany have experienced many "significant" cyber attacks over the past 14 years, ...

Google Meet: New security settings for training meetings

New security features are coming into the Google Meet video chat app for education subscribers' teleconferencing.

Technology companies against the deportation of foreign students from the USA!

Technology giants such as Google, Microsoft and Facebook, as well as many other technology companies, have joined the US Chamber of Commerce, ...

Microsoft announces new features in ATP for Azure Storage!

Microsoft announced today that Advanced Threat Protection (ATP) for Azure Storage now enables customers to protect ...

The UK is on the alert for cyber attacks from China

The United Kingdom must be vigilant about possible cyber attacks by countries such as China, government ministers have said.

Linux 5.8-rc5: Will be released with terminology changes

On July 4, Dan Williams proposed changing the special terms of Linux, with new names ...

Belgium: Jackpotting attack on Argenta bank ATM

Argenta Bank, based in Antwerp, Belgium, has been the victim of a jackpotting attack. Is...