Critical Atlassian Vulnerability Exploited to Deploy Cerber Ransomware

April 17, 2024

Cybercriminals are exploiting a critical vulnerability in unpatched Atlassian servers to deploy a Linux variant of the Cerber ransomware. The attacks exploit CVE-2023-22518, a serious security flaw in the Atlassian Confluence Data Center and Server. This vulnerability allows an attacker without authentication to reset Confluence and create an administrator account. With this access, a cybercriminal could seize control of the affected systems, leading to a complete loss of confidentiality, integrity, and availability.

According to cloud security company Cado, financially motivated cybercrime groups have been observed exploiting the newly created admin account to install the Effluence web shell plugin. This allows for the execution of arbitrary commands on the host. As Nate Bill, a threat intelligence engineer at Cado, explained, "The attacker uses this web shell to download and run the primary Cerber payload."

It is important to note that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was previously highlighted by Rapid7 in November 2023. The primary payload, written in C++, acts as a loader for additional C++-based malware. It retrieves these from a command-and-control (C2) server and then erases its own presence from the infected host.

The ransomware encrypts all contents in the root directory with a .L0CK3D extension and leaves a ransom note in each directory. However, contrary to the claims in the note, no data exfiltration occurs. The use of pure C++ payloads is interesting as it is becoming rare with the shift to cross-platform programming languages like Golang and Rust.

As Bill stated, "Cerber is a relatively sophisticated, albeit aging, ransomware payload." While the use of the Confluence vulnerability allows it to compromise a large number of likely high-value systems, the data it can encrypt is often limited to just the Confluence data. In well-configured systems, this data will be backed up. This greatly reduces the effectiveness of the ransomware in extracting money from victims, as there is much less incentive to pay up.

The emergence of new ransomware families targeting Windows and VMware ESXi servers has been observed. Cybercriminals are also leveraging the leaked LockBit ransomware source code to create their own custom variants. Kaspersky's analysis of the leaked LockBit 3.0 builder files has revealed the "alarming simplicity" with which attackers can craft bespoke ransomware and augment their capabilities with more potent features. It found a tailored version with the ability to spread across the network via PsExec by using stolen administrator credentials and performing malicious activities, such as terminating Microsoft Defender Antivirus and erasing Windows Event Logs, to encrypt the data and cover its tracks.

Kaspersky emphasized the need for robust security measures capable of effectively mitigating this kind of threat, as well as the adoption of a cybersecurity culture among employees.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.