Cerber Linux Ransomware

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.

The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account.

Armed with this access, a threat actor could take over affected systems, leading to a full loss of confidentiality, integrity, and availability.

According to cloud security firm Cado, financially motivated cybercrime groups have been observed abusing the newly created admin account to install the Effluence web shell plugin and allow for the execution of arbitrary commands on the host.

"The attacker uses this web shell to download and run the primary Cerber payload," Nate Bill, threat intelligence engineer at Cado, said in a report shared with The Hacker News.

"In a default install, the Confluence application is executed as the 'confluence' user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user."


It's worth noting that the exploitation of CVE-2023-22518 to deploy Cerber ransomware was previously highlighted by Rapid7 in November 2023.

Written in C++, the primary payload acts as a loader for additional C++-based malware by retrieving them from a command-and-control (C2) server and then erasing its own presence from the infected host.

It includes "agttydck.bat," which is executed to download the encryptor ("agttydcb.bat") that's subsequently launched by the primary payload.

It's suspected that agttydck functions akin to a permission checker for the malware, assessing its ability to write to a /tmp/ck.log file. The exact purpose of this check is unclear.

The encryptor, on the other hand, traverses the root directory and encrypts all contents with a .L0CK3D extension. It also drops a ransom note in each directory. However, no data exfiltration takes place despite claims to the contrary in the note.

The most interesting aspect of the attacks is the use of pure C++ payloads, which are becoming something of a rarity given the shift to cross-platform programming languages like Golang and Rust.

"Cerber is a relatively sophisticated, albeit aging, ransomware payload," Bill said. "While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up."

"This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up," the researcher added.

The development coincides with the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers.

Ransomware actors are also taking advantage of the leaked LockBit ransomware source code to spawn their own custom variants like Lambda (aka Synapse), Mordor, and Zgut, according to reports from F.A.C.C.T. and Kaspersky.

The latter's analysis of the leaked LockBit 3.0 builder files has revealed the "alarming simplicity" with which attackers can craft bespoke ransomware and augment their capabilities with more potent features.

Kaspersky said it uncovered a tailored version with the ability to spread across the network via PsExec by taking advantage of stolen administrator credentials and performing malicious activities, such as terminating Microsoft Defender Antivirus and erasing Windows Event Logs in order to encrypt the data and cover its tracks.

"This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees," the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.