Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this access, a threat actor could take over affected systems, leading to a full loss of confidentiality, integrity, and availability.
According to cloud security firm Cado, financially motivated cybercrime groups have been observed abusing the newly created admin account to install the Effluence web shell plugin and allow for the execution of arbitrary commands on the host.
βThe attacker uses this web shell to download and run the primary Cerber payload,β Nate Bill, threat intelligence engineer at Cado, said in a report shared with The Hacker News.
βIn a default install, the Confluence application is executed as the βconfluenceβ user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user.β
Itβs worth noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was previously highlighted by Rapid7 in November 2023.
Written in C++, the primary payload acts as a loader for additional C+Β±based malware by retrieving them from a command-and-control (C2) server and then erasing its own presence from the infected host.
It includes βagttydck.bat,β which is executed to download the encryptor (βagttydcb.batβ) thatβs subsequently launched by the primary payload.
Itβs suspected that agttydck functions akin to a permission checker for the malware, assessing its ability to write to a /tmp/ck.log file. The exact purpose of this check is unclear.
The encryptor, on the other hand, traverses the root directory and encrypts all contents with a .L0CK3D extension. It also drops a ransom note in each directory. However, no data exfiltration takes place despite claims to the contrary in the note.
The most interesting aspect of the attacks is the use of pure C++ payloads, which are becoming something of a rarity given the shift to cross-platform programming languages like Golang and Rust.
βCerber is a relatively sophisticated, albeit aging, ransomware payload,β Bill said. βWhile the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up.β
βThis greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up,β the researcher added.
The development coincides with the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers.
Ransomware actors are also taking advantage of the leaked LockBit ransomware source code to spawn their own custom variants like Lambda (aka Synapse), Mordor, and Zgut, according to reports from F.A.C.C.T. and Kaspersky.
The latterβs analysis of the leaked LockBit 3.0 builder files has revealed the βalarming simplicityβ with which attackers can craft bespoke ransomware and augment their capabilities with more potent features.
Kaspersky said it uncovered a tailored version with the ability to spread across the network via PsExec by taking advantage of stolen administrator credentials and performing malicious activities, such as terminating Microsoft Defender Antivirus and erasing Windows Event Logs in order to encrypt the data and cover its tracks.
βThis underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees,β the company said.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.