Critical Flaw in Atlassian Products Exploited to Deliver Cerber Ransomware to Linux Machines

Image Credit by Unsplash

VTA-004482 – Critical Flaw in Atlassian Products Exploited to Deliver Cerber Ransomware to Linux Machines

Hackers are taking advantage of vulnerabilities in outdated Atlassian software to install a version of Cerber ransomware designed for Linux systems. This ransomware, also known as C3RB3R, can encrypt important files on the affected servers. The attacks utilize CVE-2023-22518, a critical security flaw affecting Atlassian Confluence Data Center and Server. This vulnerability, with a CVSS score of 9.1, enables an unauthorized attacker to reset Confluence and establish an administrator account. With this level of access, a malicious actor could effectively control compromised systems, resulting in a complete compromise of confidentiality, integrity, and availability. Researchers have noted that financially motivated cybercrime groups are exploiting the newly established admin account to install the Effluence web shell plugin. This plugin enables the execution of arbitrary commands on the host, further facilitating unauthorized activities. The attacker employs a web shell to download and execute the main Cerber ransomware payload. In a default installation, the Confluence application runs as the ‘confluence’ user, which has limited privileges. Therefore, the ransomware can only encrypt files owned by the confluence user. The primary payload, written in C++, serves as a loader for other C++-based malware. It retrieves these additional malware components from a command-and-control (C2) server. After executing the additional malware, the primary payload erases its own presence from the infected host. The malware includes a file named “agttydck.bat,” which is used to download another file called “agttydcb.bat.” This second file is the encryptor and is launched by the primary payload. It’s believed that agttydck functions as a kind of permission checker for the malware, checking its ability to write to a specific file (/tmp/ck.log). The exact purpose of this check is not fully understood. The encryptor, agttydcb.bat, scans the root directory and encrypts all its contents, adding a .L0CK3D extension to each file. Additionally, it places a ransom note in each directory. However, despite claims in the note, no data is actually exfiltrated from the compromised system. Cerber ransomware is considered relatively sophisticated, although it is aging. By exploiting the Confluence vulnerability, attackers can compromise a significant number of potentially high-value systems. However, the data that Cerber can encrypt is typically limited to Confluence data. In well-configured systems, this data is often backed up. This limitation significantly reduces the ransomware’s effectiveness in extorting money from victims, as there is less incentive to pay the ransom when data can be restored from backups.


Attack Surfaces:
Cloud Service, Endpoint OS, Server OS, Web Application

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Install the security update provided by Atlassian to fix the vulnerability.
2. Run trusted security solution on devices for extra protection.
3. Reset the account credentials to prevent unauthorized access.
4. Enable multi factor authentication for extra layer of protection.

Contributed by: Varrumen