Cerber Linux Ransomware Exploits Atlassian Servers To Take Full Control

by Esmeralda McKenzie
Cerber Linux Ransomware Exploits Atlassian Servers To Take Full Control

Cerber Linux Ransomware Exploits Atlassian Servers To Take Full Control

Cerber Linux Ransomware Exploits Atlassian Servers To Rob Fleshy Glean watch over

Hackers in most cases exhaust Linux ransomware as a result of its occurrence in server environments. This vogue of ransomware offers higher doable payouts from organizations with extreme records.

Cybersecurity analysts at Cado Security Labs now no longer too prolonged ago analyzed the Linux variant of the Cerber ransomware, which is being deployed on Confluence servers thru CVE-2023-22518, after receiving most up-to-date studies.

Unlike the correctly-coated Home windows version, minute is identified about the Linux variant.

It includes three extremely obfuscated, 64-bit UPX-packed C++ ELF payloads, an older come as possibility actors now prefer languages tackle Rust or Race.

Technical Diagnosis

The growing old C++ payloads, nearly 8 years pale and receiving updates, point out the distinctive language and tooling choices persist despite Cerber’s lowering exercise since its 2016 peak.

While infrequent for the time being, the advertising and marketing campaign leverages the widespread Confluence vulnerability for distribution.

Following an attacker’s exhaust of CVE-2023-22518, researchers tracked Cerber ransomware instances on compromised Confluence.

Through an unsecured configuration restore endpoint that facilitates code execution and ransomware, this contemporary flaw enables a possibility actor to generate a recent administrator memoir.

Free Live Webinarfor DIFR/SOC Teams: Securing the High 3 SME Cyber Assault Vectors - Register Right here.

Highlighting the possibility of a colossal encryption functionality thru higher privilege safe entry to, the ransomware, by default, encrypts crucial records nonetheless is limited to recordsdata owned by the “confluence” user.

Recreation%20of%20installing%20a%20web%20shell%20on%20a%20Confluence%20instance%20(Source%20 %20Cado%20Security)
Recreation of placing in a web shell on a Confluence occasion (Source – Cado Security)

A couple of Payloads

There are three payloads, and here beneath we contain now mentioned them:-

Foremost Payload

Potentially the most important Cerber payload is a extremely obfuscated, UPX-packed C++ stager that connects to Forty five.145.6.112 to download and unpack additional substances.

It creates a lock file at /var/lock/0init-ld.lo, pulls a “log checker” (agttydck) to /tmp/agttydck.bat, executes it passing /tmp and ck.log as arguments, then fetches and drops the encrypted encryptor (agttydcb) at /tmp/agttydcb.bat.

After agttydck finishes, the stager self-deletes if /tmp/ck.log exists.

It decodes agttydcb from the encoded file the utilization of an unknown mechanism and overwrites it as an ELF executable on disk, while peaceable working in reminiscence.

The stager’s reason is staging the atmosphere for the stronger encryptor payload.

Log Test Payload – Agttydck

The extremely obfuscated, UPX-packed C++ “log checker” payload agttydck attempts to jot down “success” to a file direction created from its arguments (e.g. /tmp/ck.log).

Its return code signifies whether the write succeeded or failed.

This seemingly assessments file write permissions to desire if the system is too locked down for the encryptor to operate correctly.

Operating in a separate process from the stager also can furthermore are trying to detect sandboxes with imperfect file facing, combating the stager from being alerted about the log file advent.

Total, agttydck serves as a easy permission and doable sandbox-checking mechanism old to deploying the final encrypted payload.

Encryptor – Agttydck

A extremely UPX-packed C++ payload that self-deletes, creates doable debugging log recordsdata (/tmp/log.0 and /tmp/log.1), then spawns an encryption thread is the core agttydcb encryptor.

Sooner than opening, learning, encrypting in reminiscence, and overwriting every file’s contents with the encrypted records plus a .L0CK3D extension, it travels thru the muse list to tumble ransom notes at writable directories.

Ransom%20note%20by%20Cerber%20(Source%20 %20Cado%20Security)
Ransom show by Cerber (Source – Cado Security)

Cerber is a ransomware that, despite being growing old, is peaceable somewhat sophisticated.

It is far capable of exploiting the Confluence vulnerability to infiltrate a huge possibility of potentially excessive-heed systems.

On the opposite hand, it desires to be correctly-known that the records it’ll encrypt is in most cases shrimp to the confluence records simplest.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Source credit : cybersecuritynews.com

Related Posts