Atlassian released patches for two critical-severity vulnerabilities affecting Confluence Server and Confluence Data Center on March 20. A server-side template injection in the Widget Connector can lead to remote code execution. Cybercriminals created the first exploit for this security bug and started hitting vulnerable Confluence servers. Other exploits were created and researchers soon saw GandCrab ransomware dropped on vulnerable instances running on Windows. In a report today, Augusto Remillano II and Robert Malagad detail the same vulnerability to deliver a Monero cryptocurrency miner.
Source: https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-install-miners-and-rootkits/