The Confluence wiki software is vulnerable in many versions and attackers are currently exploiting the “critical” vulnerabilities (CVE-2019-3395, CVE-2019-3396). Alert Logic security researchers have now observed new attacks where attackers should exploit a vulnerability as a loophole for the Gandcrab encryption Trojan.

The vulnerability with the identifier CVE-2019-3396 can be found in the Widget Connector and attackers should _templatebe able to inject it remotely without authentication code.

In order to escape a discovery in the placement of Gandcrab, they should rely on several legitimate standard tools and Windows PowerShell. If all this works, the malware installs itself, encrypts files and asks for a ransom.

update

Hedged versions are already available. In a security warning, the developers claim to have closed the gaps in issues 6.6.12, 6.12.3, 6.13.3 and 6.14.2. All previous versions are threatened. Already last week, attacks on vulnerable Confluence installations.