Recent cyberattacks have targeted unpatched Atlassian servers, with threat actors utilizing a Linux variant of the Cerber ransomware, also referred to as C3RB3R. The incidents exploit a critical vulnerability, identified as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, permitting unauthenticated attackers to reset a Confluence instance and establish administrator accounts.
With unauthorized administrative access, attackers can take control of affected systems, resulting in significant compromises to confidentiality, integrity, and availability. Cloud security firm Cado notes that financially motivated threat groups have been seen exploiting these newly created admin accounts to install the Effluence web shell plugin, facilitating arbitrary command execution on the compromised hosts.
Nate Bill, a threat intelligence engineer at Cado, stated that attackers utilize this web shell to download and execute the Cerber payload. In typical installations, the Confluence application runs under the ‘confluence’ user, who has limited privileges. Consequently, the data susceptible to encryption by the ransomware is confined to files owned by this user.
The exploitation of CVE-2023-22518 to facilitate Cerber ransomware deployment has been previously reported by Rapid7, indicating an ongoing trend of attacks leveraging this specific vulnerability. The core payload of Cerber, which is written in C++, functions as a loader for additional C++ malware, retrieving components from a command-and-control server while simultaneously removing its traces from the infected system.
This payload includes “agttydck.bat,” a script executed to download the encryptor, “agttydcb.bat.” Preliminary assessments suggest that “agttydck” may serve as a permission checker for the malware, enabling it to ascertain its ability to write to a specific log file; however, the precise purpose remains ambiguous.
The encryptor, in effect, traverses the root directory and secures all files by encrypting them with a .L0CK3D extension. A ransom note is subsequently placed in every compromised directory, though no data exfiltration appears to occur despite claims made in the note itself. A notable aspect of these attacks is the usage of pure C++ payloads, which contrasts with the rising prevalence of cross-platform languages like Golang and Rust.
According to Bill, Cerber exhibits a level of sophistication that belies its age, making it an effective ransomware variant. The accessibility provided by the Confluence vulnerability enables it to compromise numerous high-value systems; however, the potential for damage may be mitigated by the likelihood of affected organizations having regular backups of their Confluence data.
As new families of ransomware—such as Evil Ant, HelloFire, and others—emerge targeting systems, the current landscape remains dynamic. Recent reports suggest that ransomware actors are also exploiting the leaked LockBit ransomware source code to design custom variants that enhance their operational capabilities.
Kaspersky has highlighted concerns over how straightforward it has become for attackers to create tailored ransomware versions using the leaked LockBit 3.0 builder, a trend that underscores the pressing need for robust cybersecurity measures. Organizations are urged to adopt proactive strategies and cultivate a culture of cybersecurity awareness among employees to mitigate these escalating threats effectively.
