Atlassian Confluence Linux instances targeted with Cerber ransomware  

A critical vulnerability in Atlassian Confluence Data Center and Server was used to deploy a Linux variant of Cerber ransomware, researchers revealed Wednesday.

Attackers exploited the improper authorization vulnerability tracked as CVE-2023-22518, which was first patched on Oct. 31, 2023, to drop an Effluence web shell plugin that ultimately enabled the execution of Cerber, researchers from Cado Security Labs reported in a blog post.

CVE-2023-22518 was initially assigned a CVSS score of 9.1, but escalated to a maximum severity of 10 by Atlassian following active exploitation of the bug in the week after its disclosure.

The flaw enables an unauthenticated attacker to craft a malicious request to the “setup-restore” endpoint of a vulnerable instance that enables them to reset the instance and create a new administrator account.

With administrator access, the attacker can then install additional modules, such as the Effluence web shell, to achieve arbitrary code execution on the system.

Cerber ransomware exploitation of CVE-2023-22518 was first confirmed last November by researchers at Rapid7, which observed both Windows and Linux variants of the malware being deployed. Cado Security’s research shows vulnerable instances are still being targeted six months later, and that the Cerber ransomware family remains in use eight years after its discovery.

‘3-headed’ Cerber downloads malicious files, checks system and encrypts files

The most recent Cerber ransomware exploitation of Atlassian Confluence CVE-2023-22518 was described in detail by the Cado Security researchers. The attack occurs in three stages, similar to the three heads of the ransomware family’s namesake.

All the payloads involved in the attack are written in C++, are highly obfuscated and are packed with UPX (Ultimate Packer for Executables), which allows them to be unpacked in memory to avoid detection.

The initial payload connects to the attacker’s command and control (C2) server to download the second payload, agttydck, which performs a log check, likely to check for sandboxing and permission levels. If the check is successful, the initial payload installs the encryptor, agttydck, and deletes itself.

The encryptor walks through the root file system to locate directories to encrypt and overwrites the files in the directories with the encrypted content, appending the .L0CK3D extension to encrypted files. However, agttydck is only able to encrypt files owned by the low-privilege, default “confluence” user, limiting the potential impact, especially in well-configured instances where these files are automatically backed up.

Cerber drops a ransom note that threatens to sell the victim’s data on the dark web, but the researchers found no evidence that the Cerber variant exfiltrated any data from the affected instance.

SC Media reached out to an Atlassian spokesperson to inquire about the estimated number of instances that remain vulnerable to CVE-2023-22518, and the potential impact of encrypting files owned by the “confluence” user and did not receive a response by time of publishing.

GreyNoise, which tracks malicious IPs attempting to exploit vulnerabilities, detected 30 IPs targeting CVE-2023-22518 over the last 30 days.

CVE-2023-22518 was also one of several vulnerabilities targeted in a campaign discovered by Sysdig to infiltrate networks by misusing an open-source penetration testing tool known as SSH-Snake.

Cado Security reports that the C2 server discovered in their research is now defunct.