Linux Cerber Ransomware Variant Exploits Atlassian Servers

Written by

Threat actors have been observed exploiting unpatched Atlassian servers and deploying a Linux variant of Cerber ransomware, also known as C3RB3R. 

The attacks capitalize on CVE-2023-22518, a critical security vulnerability in Atlassian Confluence Data Center and Server, enabling an unauthenticated attacker to reset Confluence and create an administrator account.

Armed with this access, threat actors gain control over systems, risking loss of confidentiality, integrity and availability. Financially motivated cybercrime groups leverage the newly created admin account to install the Effluence web shell plugin, facilitating arbitrary command execution.

Nate Bill, a threat intelligence engineer at Cado, discussed the findings in a blog post published on Tuesday. He noted that the primary Cerber payload is executed under the ‘confluence’ user, limiting its encryption scope to files owned by that user. This exploitation was previously flagged by Rapid7 in November 2023.

The core component of the ransomware, programmed in C++, acts as a carrier for more harmful software, also written in C++. This additional software is fetched from a central server controlled by the attackers. 

Once its task is complete, the main ransomware component removes itself from the system. Two other components are involved: one checks if the ransomware has the necessary permissions, while the other encrypts files on the computer, rendering them inaccessible until a ransom is paid.

Despite claims in the ransom note, no data exfiltration occurs. According to Bill, the predominance of pure C++ payloads is noteworthy amid the shift to cross-platform languages like Golang and Rust.

The security researcher emphasized Cerber’s sophistication but noted limitations in encrypting only Confluence data, especially in well-configured systems with backups, reducing the incentive for victims to pay.

These developments coincide with the emergence of new ransomware families targeting Windows and VMware ESXi servers. Additionally, ransomware actors are customizing variants using leaked LockBit ransomware source code, highlighting the need for robust security measures and a strong cybersecurity culture among employees.

Read more about these threats: New LockBit Variant Exploits Self-Spreading Features

What’s hot on Infosecurity Magazine?