Cerber Targets Atlassian and GitLab

Cerber ransomware usually use Windows and Linux encryptors is active again with new attack tactics. This time it has been observed targeting remote code execution vulnerabilities in Atlassian Confluence and GitLab servers.

The new ransomware variant does not have any code from the older family. It uses the Crypto++ library, while the older variant uses Windows CryptoAPI libraries.

The code differences and older versions not having Linux variants imply that a new threat actor may have started using the name, Tor payment site, and a ransom note of the older versions. The new versioncreates ‘__$$RECOVERY_README$$__.html’ ransom notes and appends the .locked extension and asking for ransom between $1,000 and $3,000 from the victims.

The new operation targets servers using recently disclosed vulnerabilities in GitLab and Atlassian Confluence.

Cerber exploits a remote code execution vulnerability that exists in GitLab’s ExifTool component. The vulnerabilities are tracked as CVE-2021-22205 and CVE-2021-26084 (an OGNL injection vulnerability in Confluence).

The vulnerabilities can be exploited remotely without authentication. Both vulnerabilities already have publicly disclosed PoC allowing the attackers to easily target servers.

The recent attacks are mostly targeting the U.S., Germany, and China. They have even targeted Russia, showing that they are not specifically targeting any particular region.

Cybercriminals always take advantage of exploitable vulnerabilities in popular enterprise software. Thus, the best protection against the recent Cerber attacks is applying the security updates for Atlassian Confluence and GitLab.