A large botnet is currently targetting vulnerable versions of Atlassian's Confluence collaboration server, and tries to abuse these for distributed denial of service attacks, remote code execution and crypto-currency mining, researchers warn.
Security vendor Trend Micro said its honeypots caught a variant of the AESDDoS malware that exploits a critical server-side template injection vulnerability in the Confluence Widget Connector macro.
Atlassian issued a security advisory on March 20, along with patches for Confluence Server and Confluence Data Centre. Versions 6.6.0-6.6.11, 6.7.0-6.12.2, 6.13.0-6.13.2 and 6.14.0-6.14.2 are all vulnerable, Atlassian said.
The fixed versions are 6.6.12, 6.12.3, 6.13.3 and 6.14.2 and later.
"A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance," Atlassian wrote in its security advisory.
Trend Micro said it saw an attacker exploit the vulnerability by remotely executing a shell command to download and run a malicious script; this would download another script that installed a variant of AESDDoS.
AESDDoS can launch an array of DDoS attacks and receive remote shell commands, as well as exfiltrate system information to be used by the malware variant to load crypto-currency miners onto infected machines.
The malware is also called Dofloo.iataq and Flooder-PI by other security vendors.