Cerber ransomware is active again with new attack tactics. This time it has been observed targeting remote code execution vulnerabilities in Atlassian Confluence and GitLab servers.
Cerber name resurfaces
Since last month, the Cerber ransomware group has started targeting victims around the world. The ransomware operators were found using both Windows and Linux encryptors.
The new ransomware variant does not have any code from the older family. It uses the Crypto++ library, while the older variant uses Windows CryptoAPI libraries.
The code differences and older versions not having Linux variants imply that a new threat actor may have started using the name, Tor payment site, and a ransom note of the older versions.
The new version creates ‘__$$RECOVERY_README$$__.html’ ransom notes and appends the .locked extension.
Upon successful infection, the new Cerber ransomware group is asking for ransom between $1,000 and $3,000 from the victims.
New attack tactics
The new operation targets servers using recently disclosed vulnerabilities in GitLab and Atlassian Confluence.
Cerber exploits a remote code execution vulnerability that exists in GitLab's ExifTool component. The vulnerabilities are tracked as CVE-2021-22205 (improper image file validation in GitLab) and CVE-2021-26084 (an OGNL injection vulnerability in Confluence).
The vulnerabilities can be exploited remotely without authentication.
Moreover, both vulnerabilities already have publicly disclosed PoC allowing the attackers to easily target servers.
The targeted countries
The recent attacks are mostly targeting the U.S., Germany, and China. They have even targeted Russia, showing that they are not specifically targeting any particular region.
Cybercriminals always take advantage of exploitable vulnerabilities in popular enterprise software. Thus, the best protection against the recent Cerber attacks is applying the security updates for Atlassian Confluence and GitLab.