"Linux Cerber Ransomware Variant Exploits Atlassian Servers"

According to security researchers, threat actors have been observed exploiting unpatched Atlassian servers and deploying a Linux variant of Cerber ransomware, also known as C3RB3R.  The attacks target CVE-2023-22518, a critical security vulnerability in Atlassian Confluence Data Center and Server, enabling an unauthenticated attacker to reset Confluence and create an administrator account.  Researchers noted that the vulnerability allows threat actors to gain control over systems, risking loss of confidentiality, integrity, and availability.  Security researchers noted that financially motivated cybercrime groups leverage the newly created admin account to install the Effluence web shell plugin, facilitating arbitrary command execution.  The core component of the ransomware, programmed in C++, acts as a carrier for more harmful software, also written in C++.  This additional software is fetched from a central server controlled by the attackers.   Once its task is complete, the main ransomware component removes itself from the system.  Two other components are involved: one checks if the ransomware has the necessary permissions, while the other encrypts files on the computer, rendering them inaccessible until a ransom is paid.  Researchers noted that despite claims in the ransom note, no data exfiltration occurs. 

 

Infosecurity Magazine reports: "Linux Cerber Ransomware Variant Exploits Atlassian Servers"

Submitted by Adam Ekwall on