The Confluence wiki software is vulnerable in many versions and attackers are currently exploiting the “critical” vulnerabilities (CVE-2019-3395, CVE-2019-3396). Alert Logic security researchers have now observed new attacks where attackers should exploit a vulnerability as a loophole for the Gandcrab encryption Trojan.
The vulnerability with the identifier CVE-2019-3396 can be found in the Widget Connector and attackers should _template
be able to inject it remotely without authentication code.
In order to escape a discovery in the placement of Gandcrab, they should rely on several legitimate standard tools and Windows PowerShell. If all this works, the malware installs itself, encrypts files and asks for a ransom.
update
Hedged versions are already available. In a security warning, the developers claim to have closed the gaps in issues 6.6.12, 6.12.3, 6.13.3 and 6.14.2. All previous versions are threatened. Already last week, attacks on vulnerable Confluence installations.