SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Cado Security unmasks Cerber ransomware threat to Confluence servers

Wed, 17th Apr 2024

Cado Security has revealed the findings of an extensive investigation into the Cerber ransomware being deployed onto servers running the Confluence application. The report, which uncovered a lesser-known Linux variant, provides significant insight into how attackers leveraged the recent CVE-2023-22518 exploit to breach Confluence.

The CVE-2023-22518 exploit involves a flaw in system authorisation that allows the attacker to reset the Confluence application and create a new administrative account. Once this account is established, it can facilitate the execution of malicious codes by uploading and installing a perilous module that provides a web UI capable of executing arbitrary commands on the host.

Cado Security Labs' research reveals that the primary payload is packed with UPX, similar to other payloads. Its main function is to establish the environment and grab further payloads for operation. It then reaches out to a (now defunct) C2 server, from where it retrieves the secondary payload, a log checker known as agttydck. Though the purpose of this checker is not explicitly clear, it's likely used to verify the writability of the 'tmp' directory and its ability to write, which could be a check to determine if the encryptor can function in a highly secure system.

The encryption phase is handled by agttydcb, whose principal task is to encrypt files on the filesystem. On choosing a file to encrypt, it opens a read-write file stream to the file. After reading the entire file, it encrypts the file in memory before overwriting the file with encrypted data, rendering the file fully encrypted.

This ransomware operates differently in a Linux environment. Instead of creating a new file and deleting the original, the encryptor rewrites the existing file. This is likely due to Linux directories possibly being set to append-only mode, preventing outright file deletion. Overwriting the file ensures that data recovery using advanced forensic tools is possibly made impossible.

The use of the Confluence vulnerability has enabled the ransomware to compromise a substantial number of potentially high-value systems. As organisations continue to grapple with the repercussions of this attack, security researchers are gaining deeper insights into the sophistication and adaptability of modern ransomware techniques.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X