Menace actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
The assaults leverage CVE-2023-22518 (CVSS rating: 9.1), a essential safety vulnerability impacting the Atlassian Confluence Knowledge Middle and Server that permits an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this entry, a risk actor may take over affected techniques, resulting in a full lack of confidentiality, integrity, and availability.
Based on cloud safety agency Cado, financially motivated cybercrime teams have been noticed abusing the newly created admin account to put in the Effluence internet shell plugin and permit for the execution of arbitrary instructions on the host.
“The attacker makes use of this internet shell to obtain and run the first Cerber payload,” Nate Invoice, risk intelligence engineer at Cado, mentioned in a report shared with The Hacker Information.
“In a default set up, the Confluence software is executed because the ‘confluence’ person, a low privilege person. As such, the information the ransomware is ready to encrypt is proscribed to information owned by the confluence person.”
It is value noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was beforehand highlighted by Rapid7 in November 2023.
Written in C++, the first payload acts as a loader for extra C++-based malware by retrieving them from a command-and-control (C2) server after which erasing its personal presence from the contaminated host.
It consists of “agttydck.bat,” which is executed to obtain the encryptor (“agttydcb.bat”) that is subsequently launched by the first payload.
It is suspected that agttydck capabilities akin to a permission checker for the malware, assessing its capability to write down to a /tmp/ck.log file. The precise goal of this test is unclear.
The encryptor, however, traverses the foundation listing and encrypts all contents with a .L0CK3D extension. It additionally drops a ransom be aware in every listing. Nonetheless, no knowledge exfiltration takes place regardless of claims on the contrary within the be aware.
Probably the most fascinating facet of the assaults is using pure C++ payloads, which have gotten one thing of a rarity given the shift to cross-platform programming languages like Golang and Rust.
“Cerber is a comparatively subtle, albeit getting older, ransomware payload,” Invoice mentioned. “Whereas using the Confluence vulnerability permits it to compromise a considerable amount of probably excessive worth techniques, usually the information it is ready to encrypt shall be restricted to only the confluence knowledge and in effectively configured techniques this shall be backed up.”
“This significantly limits the efficacy of the ransomware in extracting cash from victims, as there’s a lot much less incentive to pay up,” the researcher added.
The event comes amid the emergence of latest ransomware households like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (primarily based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Pink CryptoApp, Risen, and SEXi (primarily based on the leaked Babuk ransomware code) which were noticed focusing on Home windows and VMware ESXi servers.
Ransomware actors are additionally leveraging the leaked LockBit ransomware supply code to spawn their very own customized variants like Lambda (aka Synapse), Mordor, and Zgut, in response to experiences from F.A.C.C.T. and Kaspersky.
The latter’s evaluation of the leaked LockBit 3.0 builder information has revealed the “alarming simplicity” with which attackers can craft bespoke ransomware and increase their capabilities with stronger options.
Kaspersky mentioned it uncovered a tailor-made model with the flexibility to unfold throughout the community by way of PsExec by profiting from stolen administrator credentials and performing malicious actions, comparable to terminating Microsoft Defender Antivirus and erasing Home windows Occasion Logs in an effort to encrypt the information and canopy its tracks.
“This underscores the necessity for strong safety measures able to mitigating this sort of risk successfully, in addition to adoption of a cybersecurity tradition amongst staff,” the corporate mentioned.
