Threat Research

C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers 

Securonix

SentinelOne is tracking ongoing exploitation of CVE-2023-22518 against Atlassian Confluence Datacenter and Server to deploy Cerber (C3RB3R) ransomware on Windows and Linux. The campaigns abuse a backdoor admin account via the vulnerability, use web shells and PowerShell to deploy multi-stage payloads, encrypt data, and demand payment through a TOR-based portal. #C3RB3R #Cerber #CVE-2023-22518 #Confluence #web.shell.Plugin #WMIC #ShadowCopy #Tor #qnetd

Keypoints

  • The vulnerability CVE-2023-22518 is an improper authorization flaw in Confluence Data Center/Server enabling an unauthenticated attacker to create a backdoor administrator account.
  • Cerber (C3RB3R) ransomware campaigns observed across Windows and Linux target compromised Confluence instances to deploy ransomware payloads.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “improper authorization vulnerability of all versions of Atlassian’s Confluence Data Center and Server which allows for an unauthenticated remote attacker to create a backdoor administrator account for an exposed Confluence instance.”
  • [T1136.001] Create Account – “they are able to create an administrative account on the instance.”
  • [T1505.003] Web Shell – “the malicious plugin named web.shell.Plugin.”
  • [T1059.001] PowerShell – “Threat actors deploy PowerShell scripts to identify whether or not to use an available proxy server for the Confluence server communications.”
  • [T1105] Ingress Tool Transfer – “Python scripts are responsible for downloading an appropriate version of qnetd, which in turn downloads and executes the final C3RB3R malware payload.”
  • [T1027] Obfuscated/Compressed Files and Information – “base64 encoded command… decodes to: echo -n http[:]//193[.]176.179.41/agae > /tmp/lru.”
  • [T1490] Inhibit System Recovery – “The ransomware will attempt to remove VSS (Volume Shadow Copies) via WMIC.EXE for each identified shadow copy.”
  • [T1486] Data Encrypted for Impact – “Encrypted files are modified with the .L0CK3D extension.”

Indicators of Compromise

  • [SHA1] Executables – 1243e256f9e806652ba8e719273494f84795bbfe, 2c3b2a6e741cb5d3be7299de007983f1f86c0ef5, and 4 more hashes
  • [Network] Domain/IPs – 45.145.6.112, 193.43.72.11, and onion domain j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad.onion

Read more: https://www.sentinelone.com/blog/c3rb3r-ransomware-ongoing-exploitation-of-cve-2023-22518-targets-unpatched-confluence-servers/