Risk actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
The assaults leverage CVE-2023-22518 (CVSS rating: 9.1), a important security vulnerability impacting the Atlassian Confluence Data Heart and Server that permits an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this entry, a risk actor may take over affected techniques, resulting in a full lack of confidentiality, integrity, and availability.
In line with cloud security agency Cado, financially motivated cybercrime teams have been noticed abusing the newly created admin account to put in the Effluence net shell plugin and permit for the execution of arbitrary instructions on the host.
“The attacker makes use of this net shell to obtain and run the first Cerber payload,” Nate Invoice, risk intelligence engineer at Cado, stated in a report shared with The Hacker Information.
“In a default set up, the Confluence software is executed because the ‘confluence’ person, a low privilege person. As such, the information the ransomware is ready to encrypt is proscribed to recordsdata owned by the confluence person.”
It is value noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was beforehand highlighted by Rapid7 in November 2023.
Written in C++, the first payload acts as a loader for extra C++-based malware by retrieving them from a command-and-control (C2) server after which erasing its personal presence from the contaminated host.
It consists of “agttydck.bat,” which is executed to obtain the encryptor (“agttydcb.bat”) that is subsequently launched by the first payload.
It is suspected that agttydck features akin to a permission checker for the malware, assessing its capability to jot down to a /tmp/ck.log file. The precise objective of this test is unclear.
The encryptor, alternatively, traverses the foundation listing and encrypts all contents with a .L0CK3D extension. It additionally drops a ransom notice in every listing. Nonetheless, no knowledge exfiltration takes place regardless of claims on the contrary within the notice.
Probably the most attention-grabbing side of the assaults is the usage of pure C++ payloads, which have gotten one thing of a rarity given the shift to cross-platform programming languages like Golang and Rust.
“Cerber is a comparatively refined, albeit getting old, ransomware payload,” Invoice stated. “Whereas the usage of the Confluence vulnerability permits it to compromise a considerable amount of seemingly excessive worth techniques, usually the information it is ready to encrypt will probably be restricted to only the confluence knowledge and in nicely configured techniques this will probably be backed up.”
“This drastically limits the efficacy of the ransomware in extracting cash from victims, as there’s a lot much less incentive to pay up,” the researcher added.
The event comes amid the emergence of recent ransomware households like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (primarily based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Pink CryptoApp, Risen, and SEXi (primarily based on the leaked Babuk ransomware code) which have been noticed concentrating on Home windows and VMware ESXi servers.
Ransomware actors are additionally leveraging the leaked LockBit ransomware supply code to spawn their very own customized variants like Lambda (aka Synapse), Mordor, and Zgut, in accordance with studies from F.A.C.C.T. and Kaspersky.
The latter’s evaluation of the leaked LockBit 3.0 builder recordsdata has revealed the “alarming simplicity” with which attackers can craft bespoke ransomware and increase their capabilities with stronger options.
Kaspersky stated it uncovered a tailor-made model with the power to unfold throughout the community through PsExec by profiting from stolen administrator credentials and performing malicious actions, equivalent to terminating Microsoft Defender Antivirus and erasing Home windows Occasion Logs so as to encrypt the information and canopy its tracks.
“This underscores the necessity for strong security measures able to mitigating this type of risk successfully, in addition to adoption of a cybersecurity tradition amongst workers,” the corporate stated.
