Cerber Ransomware Operators Exploit Latest Atlassian Bug

Ransomware hackers have seized on an exploit of a recently disclosed zero-day vulnerability in Atlassian Confluence instances days after the company urged its customers to patch immediately.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

Security companies Rapid7 and GreyNoise said they began detecting on Sunday a surge in hacks exploiting a bug Atlassian described as an improper authorization vulnerability (see: Atlassian Urges Patching Against Data Loss Vulnerability).

The Australian content collaboration and management workspace developer on Monday elevated the bug’s criticality to 10, the maximum possible on the CVSS scale.

Researchers initially described the danger from the flaw, tracked as CVE-2023-22518, as data destruction. Multiple cybersecurity firms said hackers are using it to deploy Cerber ransomware.

Security volunteers from The DFIR Report said a group using the name “C3RB3R” in the ransom note had exploited the Atlassian bug.

Cerber was among the top three ransomware variants of 2021, along with Ryuk and SamSam, according to Proofpoint. The company counted 52.5 million Cerber attacks that year, second only to Ryuk’s 93.9 million. Whether those attacks came from the same criminal gang responsible for Cerber’s earlier prolific run is unknown, especially given the trend of ransomware hackers reusing stolen or leaked strains of ransomware (see: Why Criminals Keep Reusing Leaked Ransomware Builders).

The ransomware alarm came after researchers had detected hackers using a specially crafted .zip archive file to upload a web shell that “could allow for arbitrary remote code execution on the system in addition to wiping data from a Confluence instance,” cybersecurity firm Red Canary wrote.

The firm said hackers gained initial access to vulnerable Confluence instances and used PowerShell commands to download the Cerber ransomware executable from two internet protocol addresses. The executable is saved to the temp folder and run without displaying a window. VirusTotal recorded a submission of the ransomware binary on Nov. 1, suggesting attacks began within 24 hours of the vulnerability’s disclosure – before Atlassian warned on Nov. 3 about a publicly available exploit.

The Conti Connection

Red Canary’s analysis of the Cerber ransomware executable revealed connections to the now-defunct Conti ransomware group. It said the Cerber ransomware sample “was likely derived from materials exposed in the Conti ransomware leaks.”

The ransomware binary uses ChaCha stream chipper to encrypt files, which is consistent with the last known build of Conti using the same encryption algorithm. The binary contains the capability to use AES and RC4 for different encryption operations, similar to Conti’s capabilities. It also supports encrypting multiple file types on local drives as well as remote file shares. Conti code leaked online in 2022 as the group imploded amid internal dissension over its alignment with the Kremlin following Russia’s initiation of a war of conquest against Ukraine.

On execution, the binary encrypts files on local disks and in network shares, appends the .LOCK3D file extension, creates a mutex in memory, deletes volume shadow copies, drops ransom notes and then deletes itself, it added.

The ransomware binary creates a mutex hsfjuukjzloqu28oajh727190 object to ensure only one instance of the malware is running at a time. Researchers have previously discovered this particular mutex being shared across Conti samples and additional ransomware families. It allegedly is derived from leaked Conti code.