Risk actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
The assaults leverage CVE-2023-22518 (CVSS rating: 9.1), a crucial safety vulnerability impacting the Atlassian Confluence Knowledge Middle and Server that permits an unauthenticated attacker to reset Confluence and create an administrator account.
Armed with this entry, a risk actor may take over affected techniques, resulting in a full lack of confidentiality, integrity, and availability.
In accordance with cloud safety agency Cado, financially motivated cybercrime teams have been noticed abusing the newly created admin account to put in the Effluence internet shell plugin and permit for the execution of arbitrary instructions on the host.
“The attacker makes use of this internet shell to obtain and run the first Cerber payload,” Nate Invoice, risk intelligence engineer at Cado, stated in a report shared with The Hacker Information.
“In a default set up, the Confluence utility is executed because the ‘confluence’ person, a low privilege person. As such, the info the ransomware is ready to encrypt is restricted to information owned by the confluence person.”
It is value noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was beforehand highlighted by Rapid7 in November 2023.
Written in C++, the first payload acts as a loader for added C++-based malware by retrieving them from a command-and-control (C2) server after which erasing its personal presence from the contaminated host.
It contains “agttydck.bat,” which is executed to obtain the encryptor (“agttydcb.bat”) that is subsequently launched by the first payload.
It is suspected that agttydck features akin to a permission checker for the malware, assessing its potential to write down to a /tmp/ck.log file. The precise function of this verify is unclear.
The encryptor, alternatively, traverses the foundation listing and encrypts all contents with a .L0CK3D extension. It additionally drops a ransom notice in every listing. Nonetheless, no knowledge exfiltration takes place regardless of claims on the contrary within the notice.
Essentially the most attention-grabbing facet of the assaults is using pure C++ payloads, which have gotten one thing of a rarity given the shift to cross-platform programming languages like Golang and Rust.
“Cerber is a comparatively refined, albeit ageing, ransomware payload,” Invoice stated. “Whereas using the Confluence vulnerability permits it to compromise a considerable amount of seemingly excessive worth techniques, usually the info it is ready to encrypt shall be restricted to only the confluence knowledge and in properly configured techniques this shall be backed up.”
“This vastly limits the efficacy of the ransomware in extracting cash from victims, as there may be a lot much less incentive to pay up,” the researcher added.
The event coincides with the emergence of latest ransomware households like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (primarily based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Pink CryptoApp, Risen, and SEXi (primarily based on the leaked Babuk ransomware code) which were noticed focusing on Home windows and VMware ESXi servers.
Ransomware actors are additionally making the most of the leaked LockBit ransomware supply code to spawn their very own customized variants like Lambda (aka Synapse), Mordor, and Zgut, in accordance with reviews from F.A.C.C.T. and Kaspersky.
The latter’s evaluation of the leaked LockBit 3.0 builder information has revealed the “alarming simplicity” with which attackers can craft bespoke ransomware and increase their capabilities with stronger options.
Kaspersky stated it uncovered a tailor-made model with the power to unfold throughout the community through PsExec by making the most of stolen administrator credentials and performing malicious actions, reminiscent of terminating Microsoft Defender Antivirus and erasing Home windows Occasion Logs with the intention to encrypt the info and canopy its tracks.
“This underscores the necessity for strong safety measures able to mitigating this sort of risk successfully, in addition to adoption of a cybersecurity tradition amongst workers,” the corporate stated.
