IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Cybersecurity
#
Encryption
#
Ransomware
Cado Security unmasks Cerber ransomware threat to Confluence servers
Wed, 17th Apr 2024
Author image
By Sean Mitchell, Publisher
Follow us

Cado Security has revealed the findings of an extensive investigation into the Cerber ransomware being deployed onto servers running the Confluence application. The report, which uncovered a lesser-known Linux variant, provides significant insight into how attackers leveraged the recent CVE-2023-22518 exploit to breach Confluence.

The CVE-2023-22518 exploit involves a flaw in system authorisation that allows the attacker to reset the Confluence application and create a new administrative account. Once this account is established, it can facilitate the execution of malicious codes by uploading and installing a perilous module that provides a web UI capable of executing arbitrary commands on the host.

Cado Security Labs' research reveals that the primary payload is packed with UPX, similar to other payloads. Its main function is to establish the environment and grab further payloads for operation. It then reaches out to a (now defunct) C2 server, from where it retrieves the secondary payload, a log checker known as agttydck. Though the purpose of this checker is not explicitly clear, it's likely used to verify the writability of the 'tmp' directory and its ability to write, which could be a check to determine if the encryptor can function in a highly secure system.

The encryption phase is handled by agttydcb, whose principal task is to encrypt files on the filesystem. On choosing a file to encrypt, it opens a read-write file stream to the file. After reading the entire file, it encrypts the file in memory before overwriting the file with encrypted data, rendering the file fully encrypted.

This ransomware operates differently in a Linux environment. Instead of creating a new file and deleting the original, the encryptor rewrites the existing file. This is likely due to Linux directories possibly being set to append-only mode, preventing outright file deletion. Overwriting the file ensures that data recovery using advanced forensic tools is possibly made impossible.

The use of the Confluence vulnerability has enabled the ransomware to compromise a substantial number of potentially high-value systems. As organisations continue to grapple with the repercussions of this attack, security researchers are gaining deeper insights into the sophistication and adaptability of modern ransomware techniques.

Related stories
Object First selects Vitanium for launch of ransomware-proof backup appliance
Kaspersky boosts email security features after 77% of firms hit by cyber attacks
Barracuda report explores challenges in managing cyber risks
Zscaler introduces enhanced ZDX service for improved IT operations
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Top stories
GitHub previews Copilot Workspace for AI-assisted coding
Generative AI adoption in marketing hindered by skill gap & legal concerns
Cloudbrink releases tool to assess packet loss impact on hybrid workforce
Coveo joins MACH Alliance to advocate open tech ecosystem
Demica & Jardine Norton team up to boost UK SME financing