Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are actively targeting unpatched Atlassian servers using a critical security vulnerability known as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account without authentication. Once they gain this level of access, threat actors can assume control of the affected systems.

A notable aspect of these attacks is the deployment of Cerber ransomware also known as C3RB3R. Cloud security firm Cado reports that financially motivated cybercrime groups are exploiting the newly created admin accounts to install the Effluence web shell plugin. This plugin facilitates the execution of arbitrary commands on the compromised host, providing attackers with a pathway to deploy Cerber ransomware.

Security Officer Comments:
Cerber, written in C++, acts as a loader for additional C++ based malware. It retrieves these payloads from a command-and-control server and then removes its own presence from the infected system. The primary payload uses a script named "agttydck[.]bat," which downloads an encryptor. The encryptor then traverses the root directory, encrypting all contents with a .L0CK3D extension and leaving a ransom note in each directory. However, contrary to the claims in the note, there is no data exfiltration. The development comes amid the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers.

Suggested Corrections:
For CVE-2023-22518:
Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or the latest version) below:

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1

If unable to patch temporary mitigations can be found here: