Threat actors are exploiting critical vulnerabilities in Atlassian servers to deploy a Linux variant of Cerber ransomware.
This exploitation, centered around the CVE-2023-22518 vulnerability, has exposed serious weaknesses in the Atlassian Confluence Data Center and Server, allowing malicious actors to reset Confluence and create administrator accounts with impunity.
The vulnerability, rated at a CVSS score of 9.1, provides attackers with unfettered access to compromised systems. With the newfound administrative privileges, cybercriminals have been observed leveraging the Effluence web shell plugin to execute arbitrary commands, ultimately leading to the deployment of Cerber ransomware.
Nate Bill, a threat intelligence engineer at Cado, highlighted the gravity of the situation in a recent report. He emphasized how attackers use the web shell to download and execute Cerber, encrypting files under the ‘confluence’ user’s ownership. Despite limitations in data access due to user privileges, the ransomware poses a significant threat to organizations relying on Atlassian’s Confluence.
Cerber’s Deployment Explained
What sets this attack apart is Cerber’s deployment strategy. Written in C++, the ransomware employs a sophisticated loader to retrieve additional C++-based malware from a command-and-control server, before erasing its own tracks on the infected host. The malicious payload encrypts files indiscriminately across the root directory, appending a ‘.L0CK3D’ extension and leaving ransom notes in each affected directory.
Interestingly, this campaign reveals a shift back to pure C++ payloads amidst a trend favoring cross-platform languages like Golang and Rust. While Cerber is not new, its integration with Atlassian vulnerabilities demonstrates an evolving threat landscape where established ransomware strains adapt to exploit high-value targets.
Bill cautioned that despite Cerber’s capabilities, its impact may be mitigated by robust data backup practices. In well-configured systems, the ransomware’s reach could be contained, reducing the incentive for victims to pay ransoms. However, the broader context reveals a concerning trend of ransomware evolution, with new variants like Evil Ant, HelloFire, and others targeting Windows and VMware ESXi servers.
Bespoke Variants of Ransomware Continue to Emerge
Moreover, the leaking of ransomware source codes like LockBit has empowered threat actors to craft bespoke variants such as Lambda, Mordor, and Zgut, adding layers of complexity to an already dire cybersecurity landscape. Kaspersky’s analysis of the leaked LockBit 3.0 builder files revealed alarming simplicity in creating customized ransomware capable of network-wide propagation and sophisticated evasion tactics.
It is also noteworthy that this is not the first case of ransomware operators exploiting CVE-2023-22518 and Atlassian vulnerabilities.