Cerber ransomware has resurfaced with new attack tactics. This time, it was discovered that it was attempting to exploit remote code execution vulnerabilities in Atlassian Confluence and GitLab servers.
Cerber's Name Reappears
Cerber ransomware has been targeting victims all over the world since last month. The ransomware operators were discovered to be employing both Windows and Linux encryptors.
- The new ransomware variant contains no code from the previous family. It makes use of the Crypto++ library, whereas the older variant makes use of the Windows CryptoAPI libraries.
- The code differences and the absence of Linux variants in older versions suggest that a new threat actor may have begun using the older versions' name, Tor payment site, and a ransom note.
- The new version adds the.locked extension and creates ' $$RECOVERY README$$ .html' ransom notes.
- Following successful infection, the new Cerber ransomware group demands a ransom of $1,000 to $3,000 from victims.
New Attack Strategies
The new attack targets servers by exploiting newly disclosed vulnerabilities in GitLab and Atlassian Confluence.
- Cerber takes advantage of a remote code execution vulnerability in GitLab's ExifTool component. CVE-2021-22205 (improper image file validation in GitLab) and CVE-2021-26084 are the vulnerabilities (an OGNL injection vulnerability in Confluence).
- The flaws can be exploited remotely without requiring authentication.
- Furthermore, both vulnerabilities have publicly disclosed proofs of concept, allowing attackers to easily target servers.
The Countries Targeted
The most recent attacks have primarily targeted the United States, Germany, and China. They have even targeted Russia, demonstrating that they are not targeting any specific region.
Cybercriminals are always looking for exploitable flaws in popular enterprise software. As a result, the best defense against the recent Cerber attacks is to install the security updates for Atlassian Confluence and GitLab.
Airzero Sec's Cyber Security Consulting professionals have worked on projects for some of the world's most famous corporations for years. Use that information whenever you need it, whether it's to help you get there or to perform technical checks. Please contact us if you have any questions concerning this subject.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/