Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of the Cerber ransomware (also known as C3RB3R).
The attacks exploit CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability affecting the Atlassian Confluence server and data center, which allows an unauthenticated attacker to reset Confluence and create an administrator account.
With this access, a threat actor could take over affected systems, resulting in a complete loss of confidentiality, integrity, and availability.
According to cloud security firm Cado, financial cybercrime groups have been observed abusing the newly created administrator account to install the Effluence web shell plugin and allow arbitrary commands to be executed on the host.
“The attacker uses this web shell to download and execute the primary Cerber payload,” said Nate Bill, threat intelligence engineer at Cado, in a report shared with The Hacker News.
“In a default installation, the Confluence application runs as user ‘confluence,’ a user with limited privileges. Therefore, the data that the ransomware is able to encrypt is limited to files owned by the confluence user.”
It is worth noting that the exploitation of CVE-2023-22518 to distribute Cerber ransomware was previously highlighted by Rapid7 in November 2023.
Written in C++, the primary payload acts as a loader for additional C++-based malware by fetching it from a command and control (C2) server and then erasing its presence from the infected host.
It includes “agttydck.bat”, which is executed to download the cryptographer (“agttydcb.bat”) which is subsequently launched by the primary payload.
It is suspected that agttydck works similarly to a permission check for malware, evaluating its ability to write to a /tmp/ck.log file. The exact purpose of this control is unclear.
The encryptor, on the other hand, goes through the root directory and encrypts all contents with a .L0CK3D extension. It also drops a ransom note in each directory. However, despite what is stated in the note, no data theft takes place.
The most interesting aspect of the attacks is the use of pure C++ payloads, which are becoming a rarity given the move to cross-platform programming languages such as Golang and Rust.
“Cerber is relatively sophisticated, if outdated, ransomware,” Bill said. “While use of the Confluence vulnerability allows a large amount of possibly high-value systems to be compromised, often the data it is capable of encrypting will be limited to Confluence data only, and well-configured systems will be backed up.”
“This greatly limits the effectiveness of ransomware in extracting money from victims, as there is much less incentive to pay,” the researcher added.
The development comes as new ransomware families emerge such as Evil Ant, HelloFire, L00KUPRU (a variant of the Xorist ransomware), Muliaka (based on the leaked Conti ransomware code), Napoli (a variant of the Chaos ransomware), Red CryptoApp, Risen e SEX (based on the leaked Babuk ransomware code) that were spotted targeting Windows and VMware ESXi servers.
According to reports from FACCT and Kaspersky, the authors of the ransomware are also exploiting the source code of the leaked LockBit ransomware to generate their own custom variants such as Lambda (aka Synapse), Mordor and Zgut.
The latter’s analysis of the leaked LockBit 3.0 builder files revealed the “alarming simplicity” with which attackers can create bespoke ransomware and augment their capabilities with more powerful features.
Kaspersky said it discovered a tailor-made version with the ability to spread across the network via PsExec by leveraging stolen administrator credentials and performing malicious activities, such as terminating Microsoft Defender Antivirus and wiping Windows event logs to encrypt data and cover its tracks .
“This highlights the need for robust security measures that can effectively mitigate this type of threat, as well as the adoption of a cybersecurity culture among employees,” the company said.