Active Exploits in Confluence

Confluence critical vulnerabilities detailed in CVE-2019-3396, are WebDAV and Widget Connector vulnerabilities. The following are two attacks related to these vulnerabilities that are being actively exploited:

  1. the infection of servers with GrandCrab ransomware. Please be advised that there are currently no tools available to decrypt files affected by GandCrab version 5.2 (which is being used in this attack).
  2. the distribution of Kerberods malware, which is a combination of a Monero crypto-miner and a rootkit to obfuscate activity. 

Atlassian recommends upgrading to the latest version (6.15.1), and has also provided recommendations for versions that cannot be upgraded. For more information, see the Confluence Security Advisory – 3019-03-20.