BLOG: 12 Vulnerabilities of Christmas – CVE-2019-3396
The penultimate blog in our series on the most significant vulns of the year focuses on an issue in an Atlassian product that was targeted by cryptominers and ransomware groups.
CVE-2019-3396 is a critical vulnerability affecting different versions of Atlassian Confluence Server which allows threat actors to achieve remote code execution and path traversal by exploiting a server-side template injection flaw. Atlassian Confluence is a project management tool for developers that allows teams to assign tasks, collaborate, and share knowledge during projects. In addition to containing potentially sensitive information, compromising a Confluence server may allow threat actors to move laterally to the victim organisations’ networks and devices. The vulnerability affects specific components of the software, namely the WebDAV plugin and Widget Connector module, which allow users to integrate Confluence with Microsoft Office applications.
Atlassian initially reported the vulnerability on 20 March 2019 in a security advisory, releasing a patch on 30 March. Proof of Concept (PoC) code was published as early as 9 April on GitHub, allowing threat actors to start exploiting the vulnerability. A Metasploit module for CVE-2019-3396 was released shortly afterwards, allowing threat actors to further integrate exploits for the vulnerability into their toolkits.
As we have seen in multiple editions of our 12 Vulns of Christmas series, initial exploitation of CVE-2019-3396 was first carried out by cybercriminals for crypto-mining, with a first report of exploitation by cybercriminals on 7 May 2019. In this particular instance, cybercriminals were able to compromise Confluence servers and chained the exploit with two further Jenkins vulnerabilities (CVE-2019-1003001 and CVE-100300) to move laterally and drop Khugepageds, a Monero miner. A further crypto-mining campaign in June 2019 attempted to exploit the vulnerability to drop Golang-based miners from a Chinese C2 server on victims’ compromised infrastructure. Reports also surfaced in July 2019 of a Distributed Denial of Service (DDoS) bot named Godlua which leveraged the vulnerability in order to spread on compromised servers, in an attempt to build a DDoS botnet, which could be rented out for profit or used for extortion by cybercriminals.
CVE-2019-3396 also caught the eye of ransomware operators due to the potential for lateral movement when compromising a Confluence server. GandCrab’s operators exploited the vulnerability within a week of the PoC exploit’s appearance to deploy the Empire post-exploitation framework.
CVE-2019-3396 has also been leveraged for nation-state threat actors for both intelligence collection purposes and financial motives. Chinese threat actor APT41 has been observed exploiting vulnerability with several weeks of its announcement, reaffirming the increasingly rapid rate at which threat actors adapt to these disclosures. North Korean group APT41 has also exploited the vulnerability since May 2019 in its first Linux-based malware, Dacls.
In view of the speed at which threat actors have integrated the vulnerability into their TTPs and the continued exploitation of CVE-2019-3396 by a variety of cybercriminal and nation-state actors, Orpheus has calculated a maximum OVS score of 100 for it.
We recommend organisations apply the following mitigation advice:
Upgrade Atlassian Confluence Server to the latest version, 6.15.1 as of December 2020
Disable the WebDAV and Widget Connect plugins
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.