CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit | Cell Phone Spy and Mobile Tracking Software
by Augusto II Remillano and Robert Malagad In March 2019, Atlassian published an advisory covering two critical vulnerabilities involving Confluence, a widely used collaboration and planning software. In April, we observed one of these vulnerabilities, the widget connector vulnerability CVE-2019-3396, being exploited by threat actors to perform malicious attacks. Security provider Alert Logic also discovered the vulnerability being exploited to drop the Gandcrab ransomware. It seems that these incidents are not the last we've seen of the CVE-2019-3396 exploitation, as threat actors are still finding new ways to exploit the vulnerability. We discovered that it is also being used to deliver a cryptocurrency-mining malware containing a rootkit that was designed to hide its activities. This technique is highly reminiscent of another attack that occurred in November 2018 that used a similar miner-rootkit combination. Arrival and propagation Figure 1. Infection chain The attack begins with