We have learned that a ransomware group is taking advantage of a recently disclosed vulnerability exploit to infiltrate unpatched Confluence and GitLab servers, encrypting files and then demanding that the server owners pay a ransom to recover the data.
This attack was discovered by security researchers MalwareHunterTeam and Tencent Security, and so far hundreds of servers have been attacked, with both Windows and Linux systems affected by the attack.
Affected servers can be identified by the addition of the file extension “.locked” to the end of each encrypted file.
If the Confluence or GitHub servers are attacked, a 404 error will be returned and users will not be able to log into their accounts.
Administrators investigate and eventually find the file “$RECOVERY_README$$.html”, which contains the attacker’s ransom demand.
The ransom note is the same one used by Cerber, a ransomware that was active between 2016 and 2019 and should now be inactive.
However, upon analyzing the code, it appears that this is a completely different ransomware, one that simply hijacks other ransomware brands and tries to scare victims into paying to regain access to their files.
According to Tencent, this group exploited CVE-2021-26084 and CVE-2021-22205 to break into Confluence and GitLab servers, respectively.
Both vulnerabilities are remote code execution vulnerabilities that allow an attacker to gain full control of an unpatched system, making it possible to execute ransomware and encrypt files.
Because both issues were released earlier this year, patches are available, and they were exploited by multiple threat groups in September and November, respectively, system administrators using the systems are still using outdated systems at this time and need to patch them as soon as possible. We need to patch it as soon as possible.
Sophos reports that Confluence servers have also been the target of the Atom Silo ransomware since October 2021. https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
Sophos’ MTR Rapid Response team investigated a ransomware attack by a recently emerged threat group called Atom Silo. The attack, which lasted for two days, took advantage of a recently revealed vulnerability in the collaboration software Confluence to gain initial access and carry out the attack.
According to Tencent, most of the victims of the new Cerber are now located in China, Germany and the United States.
The attackers are demanding 0.04 bitcoins (~$2,000) in return for a system to decrypt encrypted files, and this amount has doubled in five days.
Comments