Active Exploitation of Confluence Vulnerability CVE-2019-3396 Dropping Gandcrab Ransomware

Overview

Exploit code for a new vulnerability in Confluence (CVE-2019-3396) has been rapidly deployed by attackers and successfully used to breach hosts. We have observed attempts by these campaigns to execute Gandcrab ransomware on the victim hosts via PowerShell and usage of standard toolsets to avoid detection. Readers are encouraged to assess and patch their environments for this vulnerability as soon as possible.

Confluence Vector Exploited

On March 20, 2019 Atlassian announced a set of critical vulnerabilities had been recently patched in their Confluence Server and Data Center software. One of these vulnerabilities was in their widget connector and assigned CVE-2019-3396, enabling an attacker to inject commands into ‘_template’ to achieve unauthenticated remote code execution. Unauthenticated remote code execution attacks are the golden goose for malicious actors as it allows them to rapidly gain complete control over the victim host. It also allows the most effective platform for persistence and future lateral movement.

Proof of concept code for the vulnerability was made available in the public domain on the April 10 and by the next day we were observing the first weaponized attack attempts using this new vector. This emphasizes yet again the critical nature of patching as a core component of your security protection. Don’t wait until exploit code appears in the public domain, or you are reading this blog, to react. By then it might well be too late.

Within a week of the first exploit code appearing within our data lake we saw the first set of breached customers. The first of these customers was being directed by the malicious payloads to interact with an IP address which is well known and tracked within our dataset – initially due to it being associated with previous widespread successful exploitation of CVE-2017-10271 (an Oracle Weblogic vulnerability which we have previously talked about). The attackers in control of this IP space seem to have rapidly and successfully added this new vector to their arsenal. 

The Payload

The initial payload which executed on the victim connected to the attacker-controlled IP over FTP and fetched a file called win.vm. 

The win.vm file contained a PowerShell script which checked the architecture then fetched the appropriate script from Pastebin and invoked it in to memory.

 

If we decode the PowerShell command in that payload, we get the following, which shows the callout to Pastebin:

Gandcrab

The script hosted on Pastebin and the calling script decoded from win.vm will be familiar to anyone who had researched Gandcrab campaigns earlier in the year and is familiar with the Empire Project. What has changed in this instance is that the delivery mechanism is not a malicious document, such as a compromised word document, or user interaction. Attackers don’t need to use those more scattered attack attempts when an open code execution vulnerability is available.

Specifically, the empire code here:

And here

The script above aims to inject the base64 encoded PE file into the process started from win.vm.  When we decoded and extracted the file, strings identified in the code revealed krab5.dll was being used. This is a strong indication to us that this was a Gandcrab sample that we were looking at, as below.

The link to Gandcrab was enhanced given we also observed calls to sir.vm which downloaded len.exe using known lolbin cerutil. Lolbins are well known standard binaries which attackers use to try and fly under the radar – since they are often present as standard on system and thus draw less attention than use of more esoteric or customer attacker tools. Certutil has been observed in other Gandcrab campaigns to date as a known tactic. The code for sir.vm looks like this:

The payload being delivered by sir.vm is len.exe which ends up being a packed sample of Gandcrab 5.2. Most likely this method of delivery is being used to avoid detection as this was transferred over the wire and not encoded in a script.

Summary

Previous RCE vulnerabilities leveraged by ransomware campaigns include SamSam ransomware, which exploited a Jboss vulnerability in 2016. From 2017 onwards as cryptominer popularity increased we have observed a drop in ransomware being delivered to vulnerable endpoints. This re-emergence of ransomware as the outcome of an unauthenticated remote code execution vulnerability may be an opportunist use of ransomware instead of cryptominers due to the nature of the vulnerability being used. Given that CVE-2019-3396 targets Confluence (which is a wiki platform) then the application in question will potentially hold valuable company information and may not be sufficiently backed up. The attackers may be making a judgement call that the likelihood of pay-out is a sufficiently higher return than could be expected mining cryptocurrency on the host. 

Indicators of Compromise

Command and Control servers

  • 185[.]234[.]218[.]248
  • 188[.]166[.]74[.]218

Pastebin PowerShell script

  • hxxps://pastebin[.]com/raw/VKX98sKj

Hashes

  • 1064e288b3bdc80e8017e6538ffb36a9384afabe3aef8fc48b1bf7b8136754b5 - gandcrab pastebin 
  • 18e67a910c6db2e05481c43c751ab07fab5d8fc36b3c747677d8619202a40ee1 - len.exe

About Alert Logic Threat Research

Alert Logic routinely tracks emerging vulnerabilities and active use of new exploits in the wild. This allows us to keep up with the latest tools, techniques, and practices of attackers and provide protection for our customers for their most critical threats.