The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

C3RB3R Exploiting CVE-2023-22518

Nov 20, 2023 2:13:05 PM / by The Hivemind

C3rb3rRelated Families: Cerber

Executive Summary

A new Cerber variant tracked as C3RB3R was recently observed leveraging CVE-2023-22518.

Key Takeaways

  • A new Cerber variant tracked as C3RB3R was recently observed leveraging CVE-2023-22518.
  • Both Linux and Windows variants of C3RB3R were observed.
  • CVE-2023-22518 is an improper authorization vulnerability affecting Atlassian’s Confluence Datacenter and Server software. 
  • The threat actors use a double extortion model, warning that the encrypted data has also been exfiltrated and that it will be sold if the ransom is not paid.
  • PolySwarm analysts discovered a C3RB3R sample (noted below) that is not listed in the source report.

What is C3RB3R?

The original Cerber ransomware is a RaaS (ransomware as a service), typically delivered via phishing emails, infected websites, or malvertising. It was first seen in the wild in 2016. A new Cerber variant tracked as C3RB3R was recently observed leveraging CVE-2023-22518. SentinelOne reported on this activity. C3RB3R targets both Windows and Linux hosts.

For the initial compromise, the threat actors use a specially crafted HTTP-POST command directed at the exposed Confluence instance, more specifically to the setup-restore.action configuration. Once the threat actor creates an administrative account, they execute scripts that download and execute the desired payload. A webshell with the name web.shell.Plugin is used for script execution.

Next, the threat actors use PowerShell scripts to determine whether they should use an available proxy server for Confluence server communications. Depending on the environment, one of several download methods is used to deliver the next stage payloads. The initial payloads are stored on the C2 using inconspicuous names.

Linux Variant

In the case of the Linux variant, the Confluence parent process, Java, is used for command injection. Following a series of commands, including Python scripts, qnetd is downloaded, which in turn downloads and executes the final payload.

Windows Variant

In the case of the Windows variant, the -b 9 argument is used, leveraging a hidden window controlled via scripts on the remote C2. C3RB3R tries to remove volume shadow copies using WMIC.EXE. The ransomware encrypts both local drives and connected SMB shares. Encrypted files are appended with the .L0CK3D extension.

The C3RB3R ransom note is delivered as a .txt file, and victims are issued a unique portal TOR-based URL. The threat actors use a double extortion model, warning that the encrypted data has also been exfiltrated and that it will be sold if the ransom is not paid.

What is CVE-2023-22518?

CVE-2023-22518 is an improper authorization vulnerability affecting Atlassian’s Confluence Datacenter and Server software. The vulnerability allows an unauthenticated threat actor to reset Confluence and create a Confluence instance administrator account. Once the account is created, the threat actor can perform administrator-level activities, including actions that lead to full loss of confidentiality, integrity, and availability.

The vulnerability was first disclosed on October 31. After observing several active exploits that leverage CVE-2023-22518, Atlassian escalated CVE-2023-22518 from CVSS 9.1 to 10, which is the highest critical rating.

IOCs

PolySwarm has multiple samples of C3RB3R and continues to track Cerber ransomware and its emerging variants.

 

Fb5a2d1be8b66c6eb1112f36b8c5ed7db9703f31ea7c77b56cbb05bc8c04758f

1849bc76e4f9f09fc6c88d5de1a7cb304f9bc9d338f5a823b7431694457345bd

4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

D338734230d4cd151308d6dd0fcbb3150b2f2ad27ee0f166872e1a10d326e39d

F2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f

 

PolySwarm analysts discovered the C3RB3R sample with the hash f2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f that is not listed in the source report.

 

You can use the following CLI command to search for C3RB3R samples in our portal:

$ polyswarm link list -t C3RB3R

 

You can use the following CLI command to search for all Cerber ransomware family samples in our portal, including previous variants: 

$ polyswarm link list -f Cerber

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Cerber, C3RB3R, CVE-2023-22518

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts