Home > News > Atlassian Confluence Hit by Cerber Ransomware! 💻🔒

Atlassian Confluence Hit by Cerber Ransomware! 💻🔒

dall·e 2024 05 07 16.29.36 create a feature image for the article titled atlassian confluence linux instances targeted with cerber ransomware. visualize a digital representati

Introduction: Atlassian Confluence Linux Instances Targeted with Cerber Ransomware

A critical vulnerability in Atlassian Confluence Data Center and Server has allowed attackers to deploy a Linux variant of Cerber ransomware, according to researchers. The vulnerability, tracked as CVE-2023-22518, was first patched on October 31, 2023, but attackers have continued to exploit it to deploy the ransomware. CVE-2023-22518 enables an unauthenticated attacker to reset a vulnerable instance and create a new administrator account, which can then be used to install additional modules and achieve arbitrary code execution on the system.

Cerber ransomware has been in use for eight years, and its exploitation of CVE-2023-22518 was first confirmed last November. Researchers have observed both Windows and Linux variants of the malware being deployed, and vulnerable instances are still being targeted six months later. The Cerber ransomware family remains in use, and its deployment via the Atlassian Confluence vulnerability highlights the importance of promptly patching known vulnerabilities.

Key Takeaways

  • A critical vulnerability in Atlassian Confluence Data Center and Server has enabled attackers to deploy a Linux variant of Cerber ransomware.
  • The vulnerability, tracked as CVE-2023-22518, was first patched on October 31, 2023, but attackers have continued to exploit it to deploy the ransomware.
  • The Cerber ransomware family remains in use, and its deployment via the Atlassian Confluence vulnerability highlights the importance of promptly patching known vulnerabilities.

‘3-headed’ Cerber downloads malicious files, checks system and encrypts files

The Cerber ransomware attack, which exploits Atlassian Confluence CVE-2023-22518, is a three-stage attack. The payloads used in the attack are written in C++, are highly obfuscated, and are packed with UPX. This allows them to be unpacked in memory to avoid detection.

The first payload connects to the attacker's command and control (C2) server to download the second payload, agttydck. This second payload performs a log check, likely to check for sandboxing and permission levels. If the check is successful, the initial payload installs the encryptor, agttydck, and then deletes itself.

The encryptor associated with Cerber ransomware systematically traverses the root file system to encrypt directories, appending the .L0CK3D extension to encrypted files. However, agttydck is only able to encrypt files owned by the low-privilege, default “confluence” user, limiting the potential impact. In well-configured instances, these files are automatically backed up, further limiting the impact of the attack.

Cerber drops a ransom note that threatens to sell the victim's data on the dark web, but there is no evidence that the Cerber variant exfiltrated any data from the affected instance.

GreyNoise detected 30 IPs targeting CVE-2023-22518 over the last 30 days. This vulnerability was also one of several targeted in a campaign discovered by Sysdig to infiltrate networks by misusing an open-source penetration testing tool known as SSH-Snake.

Cado Security reports that the C2 server discovered in their research is now defunct.

Conclusion and Personal Recommendation

In conclusion, the recent attack on Atlassian Confluence Linux instances using Cerber ransomware has highlighted the importance of keeping software up to date and implementing proper security measures. It is critical for organizations to ensure that all software vulnerabilities are patched promptly to prevent exploitation by cybercriminals.

To minimize the risk of such attacks, it is recommended that organizations implement multi-factor authentication, use strong passwords, and restrict access to sensitive information. Additionally, regular backups of critical data should be taken and stored in a secure location.

It is also important for organizations to have an incident response plan in place in case of a ransomware attack. This plan should include steps for isolating infected systems, notifying relevant parties, and restoring data from backups.

Overall, the recent attack on Atlassian Confluence serves as a reminder of the importance of cybersecurity and the need for organizations to take proactive measures to protect their data and systems from cyber threats.

Frequently Asked Questions

How to Secure Atlassian Confluence Linux Instances Against Cerber Ransomware Attacks?

To secure Atlassian Confluence Linux instances against Cerber ransomware attacks, users should apply the latest security patches provided by Atlassian. Additionally, users should make sure that their instances are not exposed to the internet without proper security measures in place. It is also recommended to restrict access to the Confluence server to only authorized personnel, and to use strong passwords and two-factor authentication.

What Are the Signs that a Confluence Server Has Been Compromised by Cerber Ransomware?

The signs of a Confluence server being compromised by Cerber ransomware include encrypted files and ransom notes left by the attackers. Users may also notice that they are unable to access their Confluence server or that the server is running slower than usual.

What Steps Should Be Taken If a Confluence Linux Instance Is Infected with Cerber Ransomware?

If a Confluence Linux instance is infected with Cerber ransomware, users should immediately disconnect the affected server from the network to prevent further spread of the malware. Users should also contact their IT department or a cybersecurity professional to assess the extent of the damage and determine the best course of action.

Are There Any Specific Vulnerabilities in Confluence that Cerber Ransomware Exploits?

Cerber ransomware exploits a critical security vulnerability in Atlassian Confluence Data Center and Server, tracked as CVE-2023-22518. This vulnerability is an improper authorization issue that can lead to unauthorized access to the Confluence server. Atlassian has released a patch for this vulnerability, and users are advised to apply it as soon as possible.

How Does Cerber Ransomware Impact the Functionality of Atlassian Confluence?

Cerber ransomware can encrypt files on the Confluence server, making them inaccessible to users. This can severely impact the functionality of the Confluence server and disrupt business operations. Additionally, the ransomware may leave behind ransom notes and other malicious files that can further compromise the server.

What Mitigation Strategies Are Recommended by MITRE for Cerber Ransomware on Confluence Servers?

MITRE recommends several mitigation strategies for Cerber ransomware on Confluence servers, including applying the latest security patches, restricting access to the server, and using strong passwords and two-factor authentication. Additionally, users should regularly back up their data and test their backups to ensure that they are recoverable in the event of a ransomware attack.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.