CyberWire Daily - Cerber ransomware strikes Linux. [Research Saturday]
Episode Date: April 27, 2024Christopher Doman, Co-Founder and CTO at Cado Security, is talking about their research on "Cerber Ransomware: Dissecting the three heads." This research delves into Cerber ransomware being deployed o...nto servers running the Confluence application via the CVE-2023-22518 exploit. The research states "Cerber emerged and was at the peak of its activity around 2016, and has since only occasional campaigns, most recently targeting the aforementioned Confluence vulnerability." The research can be found here: Cerber Ransomware: Dissecting the three heads Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Well, we're working with a couple of customers
that were hit with the Windows side of this exploitation.
They had some confident servers attacked.
And as the team were researching through,
they saw there was also a Linux variant as well,
and that kind of piqued their interest.
That's Christopher Doman, co-founder and CTO at Cato Security.
The research we're discussing today is titled
Server Ransomware, Dissecting the Three Heads.
Well, let's start with some real fundamentals here.
You mentioned the Windows variant, which I suppose is the more well-known version of this.
Can you describe to us what's the background and history
of this particular ransomware package?
Sure. So the ransomware in question is called Server.
It's actually pretty old.
First came out around 2016.
It's kind of interesting.
It was one of the early ransomware as a service variants.
So you could pay on a Russian language for about $500,
get a copy of Server, and then every time you encrypt something with Russian language for about $500, get a copy of Cerber,
and then every time you encrypt something with that
or ransom something with that,
about 5% of the money that you extorted from your victims
would also go to the operator of that ransomware.
Then going forwards a bit to end of last year,
there's some attacks against Atlassian Confluence,
so a kind of documentation site,
and people were using a vulnerability there
to install Cerber ransomware. And there's using a vulnerability there to install server ransomware.
And there's some good coverage at the time on those Windows attacks from people like
Central One and Trend Micro, but not much on the Linux side, which we kind of uncovered
as we're going through this.
Well, let's dig into it on the Linux side then.
What is the backstory there?
When did it show up on our radar?
So interestingly, there were a couple of shadows of this attack.
So people were seeing that there was potentially
some other exploitation URLs people were using,
but nothing was really documented around those.
I don't think anyone managed to get through
to the second stage of those attacks
and worked out what they'd look like on Linux.
Nathan Artin, to his credit,
did some pretty hardcore reversing.
So he went through and he found a then deploy
on these vulnerable systems
via a couple of mechanisms I can go into in a bit.
And they would do some interesting stuff
around the ransoming.
Well, let's dig into the details then.
What exactly did you all uncover?
Sure.
So the first stage, the exploitation,
looks just the same as some of the other
Windows exploitation we've seen before
against Atlassian's Confluence server and data center products.
So there's this functionality where you can essentially update or change the configuration.
By mistake, that wasn't authenticated.
So anyone that hit that URL, whether the post request in particular,
could then do something where they could actually create their own admin user in Confluence.
The second stage of the attack is installing a web shell.
So some functionality like you run commands against that system.
Interestingly, you essentially upload the plugin.
So there's a plugin in your installation called Web Shell or something like that.
And then we then use that to install the malware.
In this case, it worked in two stages.
So the first stage, we basically check around for some logs,
check if it was installed correctly.
We then download the second stage.
I think maybe they want to protect their ransomware,
which actually do the ransoming.
It would go through,
it would encrypt the files,
kind of as you expect.
But because quite correctly,
this Confluence product doesn't run
as an administrator user by default,
it wouldn't be able to encrypt every single file.
It would do a couple of things
to make sure it could still go through.
But basically you end up, as you expect,
with a couple of notes saying,
please pay us in Bitcoin, and a bunch of files ransomed.
One of the things you highlight in the research
is the fact that this is executed using C++,
and that that's sort of falling by the wayside when it comes to Linux?
Yeah, that's right.
The file more popular these days is Rust or Python. sort of falling by the wayside when it comes to Linux? Yeah, that's right.
Far more popular these days is Rust or Python.
For one thing, there's kind of a wider development practice where I think most modern developers
don't start learning C++ anymore.
But also, Rust and Python are great
at being a little bit more cross-platform.
So you can write your malware once
or run across more environments.
Potentially a bit more stable as well,
but some of these kind of more old-school C++ variants weren't.
But again, this all goes back to server being a pretty old piece of tech, actually.
So it's almost 10 years old now, the original variants of server.
And who do we suppose is behind server? Do we know?
So it's interesting because of that ransomware-as-a-service operation.
There's two parts to this.
One is whoever's actually running the infrastructure,
creating that malware.
And then secondly, whoever's doing those attacks.
So if you go back to the start of server,
there was in a way better attribution
than more recently,
where it's first sold on some Russian language forums.
There's a good article by Sensei
where they talk about this.
And they were saying,
look, here's a new ransomware, please try it out.
I'll give you a discount
if you're one of the first people to use it.
So Russian language forums with essentially contractors or affiliates they were saying, look, here's a new ransomware. Please try it out. I'll give you a discount if you're one of the first people to use it.
So Russian language forums with essentially contractors or affiliates
then buying it from those people,
then deploying it.
In terms of the attribution
on this individual attack,
we don't actually know.
We did try and look around,
but we couldn't find much
given that what we really get
is a ransomware note and an email address
saying, no, send us the money.
We'll be right back.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks. Yes!
Yes! Yes! With savings
of up to 40% on Transat South
packages, it's easy to say,
so long to winter. Visit Transat.com
or contact your Marlin travel professional
for details. Conditions apply.
Air Transat. Travel moves us.
And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your
attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users
only to specific apps, not the entire network, continuously verifying every request based
on identity and context, simplifying security management with AI-powered automation, and
detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. And what are your recommendations then
for folks to best protect themselves here?
Well, there's a couple of things.
Obviously, patch to actually update that server.
The updated version,
which hasn't got the vulnerability in,
has been around for a few months now.
But there's also much more than that as well.
If you look at Atlassian's official documentation,
they say, talk to your security team,
or if you don't have one, please get one,
which is phrased in an interesting way.
We are Australian. I am too, so maybe it's direct.
I see.
The really key point is that you have to actually investigate
the infection after it's happened
because you need to work out what's happened.
For one thing, if you simply just go and delete the ransomware
or restore from the backup,
that doesn't necessarily fix the problem.
You check to make sure that plugin, that web shell,
isn't still installed.
Otherwise, you just get re-ransomed again straight away.
And then we haven't seen it in these attacks,
but there are a few people using this vulnerability.
It's also good to find out if there's stolen things like credentials.
Are they going to move to other systems?
You know, other kind of things that ideally you'd be checking to
if you have those kind of capabilities.
It's interesting to me, as you mentioned,
how long this ransomware has been around.
I mean, is it fair to say it's tried and true
and that's been why it has stuck around as long as it has?
Yeah, I guess so.
I mean, it's tried and tested.
It works across multiple operating systems,
as seen here with Linux.
I think it also is a pretty cheap piece of ransomware too,
if you can buy it at $400.
And then they're asking for $2,000 payment.
Your ROI there, your return on investment is pretty fast.
So this isn't the kind of big game ransomware.
I know you did a recent episode
on some of those healthcare ransomwares with some crazy numbers of damage game ransomware. I know you did a recent episode on some of those healthcare ransomwares
with some crazy numbers of damage and impact there.
This is more targeting kind of SMBs
that might be running this software most of the time.
Yeah, it's a fascinating subgroup, I guess.
I liken it to almost being like a nuisance ransomware.
It's probably not going to bring down the business,
but for the people who are operating it,
there's still money to be made.
Yeah, I think that's entirely fair.
These servers generally are the most key systems.
They're not exactly a manufacturing line.
They're basically documentation.
There might be some sensitive things in there.
So maybe the impact isn't high enough
to justify a massive ransom.
You normally see those
when someone takes down an entire network
and they spend maybe
weeks going around trying to find all the key systems, deleting the backups, etc. In this case,
this is pretty much spraying hope for the best. At the time this runnability came out, there were
about 5,000 runnable systems when it first came out. And quite quickly, people realized this was
going on. So if you hit 5,000 systems,
maybe half of those,
the rounds went to the exploits against
and then maybe 10% pay.
That money still adds up, but it's not.
Like you say, maybe it's more of a nuisance
than a massive kind of campaign.
Our thanks to Christopher Doman from Cato Security for joining us.
The research is titled,
Server Ransomware, Dissecting the Three Heads.
We'll have a link in the show notes. Cyber threats are evolving every second, Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. The Cyber Wire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter. Learn more at n2k.com. Thank you. listening. We'll see you back here next time.