Adversaries are exploiting unaddressed Atlassian servers to distribute a Linux variant of Cerber (also known as C3RB3R) ransomware.
The assaults capitalize on CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability affecting the Atlassian Confluence Data Center and Server, enabling an unauthenticated assailant to reset Confluence and create an administrative account.
Endowed with this access, a malicious actor could commandeer impacted systems, leading to a complete compromise of confidentiality, integrity, and availability.
As per cloud security enterprise Cado, financially incentivized cybercrime syndicates have been noted exploiting the freshly spawned admin account to embed the Effluence web shell plugin, facilitating the execution of arbitrary commands on the host.
“The attacker employs this web shell for fetching and executing the principal Cerber payload,” shared Nate Bill, threat intelligence engineer at Cado, in a report relayed to The Hacker News.
“In a default setup, the Confluence application operates under the ‘confluence’ user, a user with limited privileges. Consequently, the ransomware’s ability to encrypt data is confined to files owned by the confluence user.”
It’s noteworthy that the use of CVE-2023-22518 to disseminate Cerber ransomware was previously brought to light by Rapid7 in November 2023.
Fabricated in C++, the primary payload serves as a loader for additional C++-based malware by fetching them from a command-and-control (C2) server and then obliterating its own traces from the infected host.
Included is “agttydck.bat,” which is invoked to retrieve the encryptor (“agttydcb.bat”) subsequently launched by the primary payload.
There is suspicion that agttydck serves akin to a permission verifier for the malware, assessing its capacity to write to a /tmp/ck.log file. The precise purpose of this verification remains ambiguous.
On the contrary, the encryptor traverses the root directory and encrypts all contents with a .L0CK3D extension, also depositing a ransom note in each directory. Nonetheless, despite assertions in the note, no data exfiltration occurs.
The most intriguing aspect of these assaults lies in the utilization of pure C++ payloads, a rarity amidst the shift towards cross-platform programming languages such as Golang and Rust.
“Cerber constitutes a relatively sophisticated, albeit aging, ransomware payload,” affirmed Bill. “While the exploitation of the Confluence vulnerability permits it to compromise a significant number of likely high-value systems, frequently, its ability to encrypt data is confined to merely the confluence data, and in well-configured systems, this data is typically backed up.”
“This severely curtails the efficacy of the ransomware in extorting money from victims, as there is notably less incentive to comply,” the researcher appended.
The development unfolds amid the emergence of novel ransomware lineages such as Evil Ant, HelloFire, L00KUPRU (a variant of Xorist ransomware), Muliaka (derived from the leaked Conti ransomware code), Napoli (a variant of Chaos ransomware), Red CryptoApp, Risen, and SEXi (derived from the leaked Babuk ransomware code), targeting Windows and VMware ESXi servers.
Ransomware actors are also harnessing the leaked LockBit ransomware source code to spawn their bespoke variants like Lambda (also known as Synapse), Mordor, and Zgut, per reports from F.A.C.C.T. and Kaspersky.
The latter’s scrutiny of the leaked LockBit 3.0 builder files has uncovered the “alarming simplicity” with which attackers can tailor ransomware to their specifications and enhance their capabilities with more potent attributes.
Kaspersky disclosed discovering a customized iteration capable of propagating across the network via PsExec, leveraging stolen administrator credentials and engaging in malevolent activities such as terminating Microsoft Defender Antivirus and erasing Windows Event Logs to encrypt data and conceal its traces.
“This underscores the imperative for robust security measures capable of effectively mitigating such threats, alongside fostering a cybersecurity ethos among employees,” emphasized the company.
