Thursday, May 1, 2025
Homecyber securityCerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Published on

SIEM as a Service

Follow Us on Google News

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber ransomware targeting Linux systems.

This strain of the notorious malware has been observed exploiting a recent vulnerability in the Atlassian Confluence application to gain a foothold on targeted servers.

CVE-2023-22518: The Vulnerability Exploited

The primary attack vector for this Cerber variant is the exploitation of CVE-2023-22518, a vulnerability in the Atlassian Confluence application that allows an attacker to reset the application and create a new administrative account, as reported by Cado Security Labs.

- Advertisement - Google News

This flaw, disclosed and patched earlier this year, has become a prime target for threat actors seeking to compromise Confluence servers.

Technical Details

The Cerber Linux ransomware is a highly obfuscated C++ payload, compiled as a 64-bit Executable and Linkable Format (ELF) binary and packed with the UPX packer.

This technique is employed to prevent traditional malware scanning and analysis.

Once the attacker gains access to the Confluence server through the CVE-2023-22518 exploit, they use the newly created administrative account to upload and install a malicious web shell plugin, Effluence.

Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.

This web shell provides a user interface for executing arbitrary commands on the compromised host.

Recreation of installing a web shell on a Confluence instance
Recreation of installing a web shell on a Confluence instance

The primary Cerber payload is then downloaded and executed through the web shell.

This payload is a stager responsible for setting up the environment and fetching additional components, including a log checker and the final encryptor payload.

The log checker payload, known as “agttydck,” is a simple C++ program that attempts to write a “success” message to a file.

This is likely a check for the appropriate permissions and sandbox detection.

A cleaned-up routine that writes out the success phrase
A cleaned-up routine that writes out the success phrase

The final encryptor payload, “agttydcb,” is the core of the ransomware.

It systematically encrypts files across the file system, overwriting the original content with the encrypted data and appending the “.L0CK3D” extension.

A ransom note is also left in each directory, demanding payment for the decryption of the files.

The ransom note left by Cerber
The ransom note left by Cerber

The Cerber Linux ransomware exploited the Atlassian Confluence vulnerability, highlighting the importance of timely patching and vigilance in securing critical enterprise applications.

As threat actors continue to target vulnerabilities in popular software, organizations must remain proactive in their security measures to protect against such sophisticated attacks.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...