C3RB3R Ransomware Exploits Confluence Vulnerability

February 12, 2024

Arctic Wolf Labs has discovered that the C3RB3R ransomware is being deployed by threat actors exploiting a critical template injection vulnerability (CVE-2023-22527) in Atlassian's Confluence Server and Data Center. The exploitation attempts started shortly after the exploit code for the vulnerability was publicly released. The attackers have primarily targeted Linux-based systems.

The C3RB3R ransomware variant encrypts the targeted Linux system, creating 'read-me3.txt' ransom notes throughout the filesystem and appending '.L0CK3D' extensions to the encrypted files. The ransom note and a corresponding log file bear significant similarities to a C3RB3R attack on a Windows-based system reported by Red Canary in November 2023. This is the first known instance where the C3RB3R ransomware was deployed directly by exploiting the CVE-2023-22527 vulnerability.

Due to the encryption process, it is difficult to determine whether all payloads were dropped by a single threat group. The rapid availability of the exploit code and the observed attack patterns suggest that multiple threat actors may have exploited the vulnerability, releasing different payloads.

To protect against this threat, it is recommended to apply the security patches provided by Atlassian for all affected Confluence Server and Data Center versions immediately. Regularly inspecting logs for POST requests targeting the ‘/template/aui/text-inline.vm’ endpoint and checking the ‘atlassian-confluence.log’ for potential error messages from exploit attempts can also help detect compromise. Arctic Wolf Labs has developed custom Yara rules to identify some of the malicious activity.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.