A new ransomware strain, which calls itself Cerber, has been spotted attacking unpatched Confluence and GitLab servers using remote code execution vulnerabilities.
According to the reports from Tencent Security and MalwareHunterTeam, the attacks started in the first half of November and hit hundreds of servers, with both Windows and Linux systems being encrypted.
Cerber is the name of a ransomware operation, which has been defunct since 2019. However, the researchers say that the new ransomware strain does not match the code of the older family, as the new variant uses the Crypto+++ library, while the original Cerber used Windows CryptoAPI libraries and did not have a Linux variant. This suggests that recently spotted attacks are not the work of the original Cerber ransomware operation, but rather a new threat actor made use of the name, ransom note, and Tor payment site.
The new version of Cerber is creating ransom notes named __$$RECOVERY_README$$__.html and appending the .locked extension to encrypted files. The Cerber ransomware gang is asking 0.04 bitcoin for a decryptor, with the sum doubling in five days.
According to Tencent Security, the attackers are exploiting CVE-2021-26084 (Confluence) and CVE-2021-22205 (GitLab) flaw to gain access to vulnerable servers.
CVE-2021-26084 is a code injection vulnerability, which allows a remote attacker execute arbitrary code on the system, while CVE-2021-22205 is an OS command injection bug that allows a remote hacker to execute arbitrary OS commands. It’s worth noting, that both bugs have publicly disclosed proof-of-concept (PoC) exploits.
Tencent’s report shows that the majority of Cerbers’ victims are located China, Germany, and the U.S.