Cerber ransomware is back to target Gitlab and Confluence servers

January 20, 2022
Cerber Ransomware Gitlab Confluence Application Servers Exif Tool Vulnerability

Cerber ransomware is making itself known again, and it is now packed with new tools and strategies to infect its targets. Recent observations showed that the revived ransomware targets remote code execution flaws in Gitlab servers and Atlassian Confluence.

According to analysts, the Cerber ransomware threat group now targets different victims worldwide and utilizes both Linux and Windows encryptors. However, the new ransomware variant does not contain any code from its previous strains. Instead, it utilizes a new Crypto++ library, which is a tool that is significant in upgrading the Cerber ransomware since its older variant only uses measly Windows CryptoAPI libraries.

 

The primary code differences are evident in the new Cerber ransomware.

The outdated version does not have the Linux variant, implying that a new threat actor may have initiated using the names, Tor payment sites, and a ransom note of the older strain. The latest version creates a recovery code HTML ransom notes and attaches a locked extension if an unknown threat actor takes advantage of their attack. Researchers also noticed that if Cerber has successfully infected a network, the ransom given to the victims is between a thousand dollars and $3,000.

The new ransomware operation targets servers that utilize recently revealed flaws in Atlassian Confluence and GitLab. Cerber takes advantage of a remote code execution flaw inside GitLab’s ‘ExifTool’ component. The flaws are tracked as CVE-2021-26084 (for Atlassian Confluence) and CVE-2021-22205 (for GitLab).

Threat actors can exploit these vulnerabilities without authentication. Furthermore, both flaws mentioned earlier have already been publicly revealed by PoC, enabling numerous malicious threat actors to exploit them and quickly mark the servers.

According to gathered reports, the recent operations of Cerber are inside the United States, China, and Germany. These actors also target Russia from time to time, implying that they are not a state-backed hacking group.

Threat actors will always take advantage of any vulnerability they can get their hands on. Experts strongly advise that the best counter against the recent Cerber ransomware attacks is adopting GitLab and Atlassian Confluence updates.

About the author

Leave a Reply