Threat Actors Deploy Cerber Ransomware on Atlassian Servers Using CVE-2023-22518 Exploit

by | Apr 18, 2024 | News

Post Views: 592

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Cerber Ransomware Exploits Critical Atlassian Flaw to Target Confluence Servers

Threat actors have been leveraging a critical vulnerability in Atlassian servers, tracked as CVE-2023-22518, to deploy a Linux variant of the Cerber (C3RB3R) ransomware, posing a significant risk to Confluence servers.

The vulnerability, rated with a CVSS score of 9.1, impacts all versions of Confluence Data Center and Server, presenting an improper authorization issue that can lead to substantial data loss if exploited by unauthorized attackers.

Recent findings from Cado Security Labs have unveiled the deployment of Cerber ransomware on vulnerable Confluence servers via the CVE-2023-22518 exploit. This Linux variant of Cerber is relatively new and remains shrouded in mystery within the cybersecurity community.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The modus operandi involves attackers gaining initial access by exploiting the vulnerable Atlassian instances, subsequently creating admin accounts to deploy the Effluence web shell plugin for executing arbitrary commands on compromised servers.

Cerber ransomware, known for its sophistication despite its aging status, employs heavily obfuscated C++ payloads packed with UPX to evade detection by security software. The ransomware’s operation is constrained by the privileges of the “confluence” user, limiting the encryption scope to files owned by this user.

Trending: 10 Misconceptions about Hacking

Upon execution, the Cerber payload contacts a command-and-control (C2) server to download and unpack further malicious payloads, ultimately encrypting files with a “.L0CK3D” extension. The malware’s behavior includes logging activity, searching for encryptable directories, dropping ransom notes, and encrypting files within targeted directories.

Despite the severity of the attack, well-configured systems with comprehensive backups can mitigate the impact of Cerber ransomware, reducing the incentive for victims to pay ransom demands.

The report concludes with critical indicators of compromise (IoCs) to aid in identifying and thwarting this evolving threat.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: securityaffairs.com

Source Link