Cerber2021 ransomware has resurfaced, delivered via exploitation of patched/unpatched vulnerabilities to target Confluence and Gitlab servers, then encrypts files on Windows and Linux with a Tor-based ransom site. The analysis details file encryption behavior, anti-forensics steps, Linux variant, and defender recommendations, highlighting CVE-2022-26134 and related Confluence/Gitlab vulnerabilities. #Cerber2021 #CerberImposter #CVE-2022-26134 #Confluence #Gitlab
Keypoints
- Cerber2021 ransomware was observed being delivered by exploiting a Confluence OGNL injection vulnerability (CVE-2022-26134) to take control of unpatched servers and deploy Cerber2021.
- Exploitation allowed attackers to create new admin accounts and run arbitrary code on a Confluence server to deliver the ransomware.
- Cerber2021 targets both Windows and Linux, with Linux supplied as a 64-bit UPX-packed ELF binary; encryption uses the Crypto++ library in the Windows variant.
- The malware checks for mutex strings to avoid reinfection and encrypts files across system drives (C: to Z:) with a long list of targeted extensions, appending .locked to encrypted files.
- The ransomware generates a Tor Onion payment site URL with a dynamic key and presents a ransom note (__$$_RECOVERY_README$__$.html) demanding payment (0.068 BTC) within 5 days, else price doubles.
- To remove traces, the malware self-deletes using ShellExecuteA after infection; the attacker also relies on Tor to facilitate ransom communications.
- Defender recommendations emphasize applying Atlassian Confluence security updates, regular backups, automatic updates, antivirus protection, and network segmentation.
MITRE Techniques
- [T1204] User Execution – The attack sequence involves attackers exploiting a vulnerability to deliver Cerber2021 and “running arbitrary code on a Confluence server to deliver Cerber2021 ransomware.” – “running arbitrary code on a Confluence server to deliver Cerber2021 ransomware.”
- [T1082] System Information Discovery – The ransomware “checks the system drive from ‘C:’ to ‘Z:’ in the victim’s machine” to determine where to operate.
- [T1083] File and Directory Discovery – It “encrypts files present in the identified drives” and targets files by a listed set of extensions.
- [T1490] Inhibit System Recovery – The attack encrypts data to impact availability, as shown by the overall encryption behavior described.
- [T1486] Data Encrypted for Impact – Files are encrypted across Windows and Linux, with extensions like .locked added to the filenames.
- [T1070] Indicator Removal on Host – The malware performs self-deletion after infection via “ShellExecuteA” to remove its binary while leaving encrypted files and ransom note behind.
Indicators of Compromise
- [File Hashes] – MD5/SHA1/SHA256 hashes identified for Cerber2021 samples: f40eb8db16cbc2ac5a69fc854ab4876c, 0fc7472537b4991b6a52e56b7eaad73ab356522e, and 1 more hash (from the same set: f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf).
- [File Hashes] – Additional hashes listed: 02e99ee58ee459394afec7b0777a92db, 6e9b7ca0e7442ce9ba91f6fb8eb4313050a9c3b7, 46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb.
- [File Hashes] – More hashes shown: 714df70866e61f3c527489a51b286e88, 3a951dd09d37b1ce59b7f6aeb7c704c91283f865, 079987319655417735ed9b0359a6d8b46532cc38e68b75383c4c87227815bca4.
- [URL] – Tor site link associated with the ransom operation, including onion URL components listed in the indicators.
- [File Name] – Ransom note file: __$$RECOVERY_README$$__.html shown to victims to initiate payment through Tor.
- [File Extension] – Encrypted files carry the .locked extension (e.g., examplefile.txt.locked) on Windows victims.
- [File Type] – 32-bit Windows executable (GUI-based binary) and 64-bit Linux ELF (UPX-packed) binaries observed as the payloads.
Read more: https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/