April 17, 2024 at 07:12AM
Threat actors exploit an unpatched Atlassian server vulnerability (CVE-2023-22518) to deploy Linux Cerber ransomware. This creates a critical security risk, leading to loss of system control. Ransomware payloads are executed using a web shell, encrypting files and dropping ransom notes. The use of C++ payloads is noted, and new ransomware families are emerging.
Key takeaways from the meeting notes:
– Threat actors are exploiting an unpatched Atlassian server vulnerability (CVE-2023-22518) to deploy Cerber ransomware, leading to a full loss of confidentiality, integrity, and availability on affected systems.
– Financially motivated cybercrime groups have been observed abusing the newly created admin account to install the Effluence web shell plugin and allow the execution of arbitrary commands on the host, leading to the installation of the Cerber ransomware.
– The primary Cerber payload acts as a loader for additional C++-based malware, erasing its own presence from the infected host, and encrypting contents with a .L0CK3D extension.
– Other ransomware families, such as Evil Ant, HelloFire, and L00KUPRU, have been spotted targeting Windows and VMware ESXi servers, with some leveraging leaked ransomware source code to spawn custom variants.
– The need for robust security measures capable of mitigating ransomware threats effectively, as well as the adoption of a cybersecurity culture among employees, has been underscored.
– Follow the company on Twitter and LinkedIn for more exclusive content.