Risk actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
The assaults leverage CVE-2023-22518 (CVSS rating: 9.1), a important safety vulnerability impacting the Atlassian Confluence Information Middle and Server that permits an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this entry, a menace actor may take over affected programs, resulting in a full lack of confidentiality, integrity, and availability.
Based on cloud safety agency Cado, financially motivated cybercrime teams have been noticed abusing the newly created admin account to put in the Effluence net shell plugin and permit for the execution of arbitrary instructions on the host.
“The attacker uses this web shell to download and run the primary Cerber payload,” Nate Invoice, menace intelligence engineer at Cado, mentioned in a report shared with The Hacker Information.
“In a default install, the Confluence application is executed as the ‘confluence’ user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user.”
It is price noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was beforehand highlighted by Rapid7 in November 2023.
Written in C++, the first payload acts as a loader for extra C++-based malware by retrieving them from a command-and-control (C2) server after which erasing its personal presence from the contaminated host.
It consists of “agttydck.bat,” which is executed to obtain the encryptor (“agttydcb.bat”) that is subsequently launched by the first payload.
It is suspected that agttydck capabilities akin to a permission checker for the malware, assessing its capacity to put in writing to a /tmp/ck.log file. The precise objective of this test is unclear.
The encryptor, then again, traverses the foundation listing and encrypts all contents with a .L0CK3D extension. It additionally drops a ransom observe in every listing. Nevertheless, no information exfiltration takes place regardless of claims on the contrary within the observe.
Essentially the most attention-grabbing facet of the assaults is using pure C++ payloads, which have gotten one thing of a rarity given the shift to cross-platform programming languages like Golang and Rust.
“Cerber is a relatively sophisticated, albeit aging, ransomware payload,” Invoice mentioned. “While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up.”
“This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up,” the researcher added.
The event comes amid the emergence of recent ransomware households like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (primarily based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Crimson CryptoApp, Risen, and SEXi (primarily based on the leaked Babuk ransomware code) which have been noticed focusing on Home windows and VMware ESXi servers.
Ransomware actors are additionally leveraging the leaked LockBit ransomware supply code to spawn their very own customized variants like Lambda (aka Synapse), Mordor, and Zgut, in keeping with experiences from F.A.C.C.T. and Kaspersky.
The latter’s evaluation of the leaked LockBit 3.0 builder information has revealed the “alarming simplicity” with which attackers can craft bespoke ransomware and increase their capabilities with stronger options.
Kaspersky mentioned it uncovered a tailor-made model with the flexibility to unfold throughout the community through PsExec by profiting from stolen administrator credentials and performing malicious actions, akin to terminating Microsoft Defender Antivirus and erasing Home windows Occasion Logs with a view to encrypt the info and canopy its tracks.
“This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees,” the corporate mentioned.
