Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities.
As ransomware "started to accelerate" in 2016, a new ransomware company Cerber appeared which quickly became one of the most productive gangs at that time. However, its activity slowly decreased until it disappeared at the end of 2019.
Last month, a ransomware called Cerber made its appearance, infecting victims around the world with Windows and Linux encryptors.
The new version of Cerber creates ransom notes called __ $$ RECOVERY_README $$ __. Html and appends the .locked extension to encrypted files.
The new Cerber ransomware gang seems to be demanding ransom ranging from $ 1.000 to $ 3.000.
Emsisoft CTO and ransomware expert Fabian Wosar tested the new variant and said it did not match the code of the older ransomware family. Specifically, the new version uses the Crypto +++ library, while the older version used the Windows CryptoAPI libraries.
These differences in code and the fact that the original Cerber did not have a Linux variant lead us to believe that a new threatening agent has adopted the Tor's name, ransom note, and payment site and is not the original business.
Targeting Confluence and GitLab servers
This week, security researchers and vendors spotted new Cerber ransomware operation hacking servers using remote code execution vulnerabilities in Atlassian Confluence and GitLab.
Security researcher BoanBird shared a sample of the new Cerber ransomware with BleepingComputer which shows that this new strain specifically targets the Atlassian Confluence folders listed below.
BoanBird also shared a link to the GitLab forums where administrators revealed that Cerber exploits a vulnerability recently revealed in the GitLab ExifTool component.
These vulnerabilities are referred to as CVE-2021-26084 (Confluence) and CVE-2021-22205 (GitLab) and can be used remotely without authentication. In addition, both vulnerabilities have revealed public proof-of-concept (PoC) exploits, allowing intruders to easily breach servers.
A report published this week by Tencent researchers shows that the attacks that develop the new Cerber ransomware are aimed primarily at the United States, the Germany and China.
Right now, the best approach for protection against Cerber would be to implement the available security updates for Atlassian Confluence and GitLab.
Source of information: bleepingcomputer.com