C3RB3R Ransomware Strikes Again: Exploiting the Confluence Vulnerability

In the wake of Atlassian’s disclosure of CVE-2023-22527, a critical template injection vulnerability in the Confluence Server and Data Center, Arctic Wolf Labs has uncovered threat actors are leveraging this vulnerability to deploy the C3RB3R ransomware alongside a suite of other malicious payloads.

Arctic Wolf Labs’ investigations reveal that shortly after the public release of exploit code for CVE-2023-22527, widespread exploitation attempts began. Attackers targeted vulnerable Confluence Server instances, primarily Linux-based systems. Forensic evidence highlights a concentrated assault using POST requests to the ‘/template/aui/text-inline.vm’ endpoint, a telltale sign of the exploit in action.

Successful exploitation unleashed a devastating swarm of malicious payloads onto the victim system:

• C3RB3R Ransomware: Files were ruthlessly encrypted, marked with the telltale “.L0CK3D” extension, while ransom notes named “read-me3.txt” taunted the victims.
• Sliver Implant: Used by threat actors for persistent access and remote control.
• XorDDoS Trojan: Designed to drain the system and launch distributed denial-of-service (DDoS) attacks.
• Cryptocurrency Mining Tools: Siphoning the victim’s processing power to mine cryptocurrency for the attackers.

The C3RB3R ransomware variant ruthlessly encrypted the targeted Linux system, creating ‘read-me3.txt’ ransom notes across the filesystem and appending ‘.L0CK3D’ extensions to the locked files. Analysis of the ransom note and a corresponding log file reveals striking similarities to a November 2023 Windows-based C3RB3R attack reported by Red Canary.

This marks the earliest known instance observed by Arctic Wolf Labs where C3RB3R ransomware was deployed directly through exploiting CVE-2023-22527.

Forensic gaps resulting from the encryption process make it challenging to pinpoint whether all payloads were dropped by a single threat group. The rapid availability of exploit code, along with observed attack patterns, leads researchers to suspect that multiple threat actors capitalized on the vulnerability, unleashing varying payloads.

How to Protect Yourself & Detect Compromise

1. Patch Immediately: The most crucial defense is to apply the security patches provided by Atlassian for all affected Confluence Server and Data Center versions.

2. Monitor Logs: Vigilantly inspect your logs for POST requests targeting the ‘/template/aui/text-inline.vm’ endpoint. Additionally, check your ‘atlassian-confluence.log’ for potential error messages arising from exploit attempts.

3. Utilize Yara Rules: Arctic Wolf Labs has developed custom Yara rules to pinpoint some of the malicious activity.