December 2, 2023

Software program firm Atlassian is now saying {that a} lately disclosed challenge is being exploited by hackers utilizing the Cerber ransomware.

An Atlassian spokesperson stated Tuesday that the corporate had proof to assist what cybersecurity researchers reported over the weekend: CVE-2023-22518 — a vulnerability affecting the Confluence Knowledge Heart and Confluence Server merchandise — was being utilized in cybercrime.

On Sunday, cybersecurity researchers and incident responders at Rapid7 stated that they had been seeing exploitation makes an attempt by hackers utilizing Cerber — a ransomware model considered long-defunct. Atlassian had beforehand made a number of bulletins in regards to the bug however didn’t specify the way it was being exploited.

“Unpatched situations stay weak and we proceed to induce these Confluence Knowledge Heart and Server clients to take fast motion,” the Atlassian spokesperson stated.

The corporate stated it has up to date its advisory with data on how clients can detect threats and remediate the problem.

Escalating warnings

Atlassian CISO Bala Sathiamurthy warned the general public final week in regards to the bug, which he stated may result in “important knowledge loss if exploited.” Later within the week, the corporate up to date its advisory to say that whereas it didn’t have proof of an energetic exploit, it did observe “publicly posted vital details about the vulnerability which will increase the chance of exploitation.”

“After discovering the unexploited vulnerability, on October 31, 2023, we issued the Essential Safety Advisory urging clients to take fast motion. Whereas there was nonetheless no recognized exploit, we issued one other wave of communications on November 2, 2023 that famous the elevated threat for any clients that had not but utilized the patch after observing publicly posted vital details about the vulnerability,” the Atlassian spokesperson stated Tuesday.

“On November 3, 2023, we warned clients of an energetic exploit and escalated this on November 6, 2023 following proof of malicious exercise, together with ransomware assaults.”

Different corporations, like Huntress and Pink Canary, backed up Rapid7’s evaluation that hackers had been utilizing the Cerber ransomware after exploiting the vulnerability.

The return of Cerber

The Cerber ransomware operation was energetic between 2016 and 2019 however was seen in 2021 focusing on Confluence situations weak to a different bug, CVE-2021-26084. On the time, the hackers behind the 2021 marketing campaign focused victims in China, Germany, and the U.S., demanding 0.04 bitcoin in alternate for the decryptor.

A number of ransomware consultants stated that they had not seen the Cerber ransomware utilized in years.

Cerber ransomware word. Picture: Rapid7

When requested in regards to the state of affairs, Rapid7 head of vulnerability analysis Caitlin Condon advised Recorded Future Information the ransomware word the crew extracted was titled “C3RB3R Directions,” and the information had been encrypted with the extension “L0CK3D,” which is a typical sample for Cerber ransomware.

“It’s vital to notice, nonetheless, that we’re analyzing and attributing the malware, not the menace actor,” she stated.

“The ransomware ecosystem has modified and diversified considerably lately — supply code has been leaked and elements reused, adversaries from distinguished teams have shifted allegiance (and brought their so-called mental property with them), associates and entry brokers have developed ways and strategies, and so forth.”

Condon went on to notice that in different latest assaults, the corporate has seen hackers use ransomware whose supply code was leaked. The idea is that lone-wolf attackers are utilizing the leaked code to “make a fast buck.”

The researchers are “analyzing the malware and the artifacts, not attributing the human adversary,” Condon stated.

Rapid7 stated a number of clients are being exploited by way of CVE-2023-22518 and Pink Canary in addition to Huntress stated they noticed the identical .LOCK3D file extension in assaults.

Huntress researchers stated that primary searches of “confluence” on the web Shodan search instrument present greater than 200,000 presumably weak endpoints and extra slender searches discovered over 5,600 presumably weak endpoints. However the firm famous that neither search proves exploitability or model quantity and solely “reveal that Confluence is commonly publicly accessible.”

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than transferring again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand lined cybersecurity at ZDNet and TechRepublic.