Research Saturday 4.27.24
Ep 327 | 4.27.24

Cerber ransomware strikes Linux.


Dave Bittner: Hello everyone and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Christopher Doman: Welcome, we have a couple of customers that were hit with the Windows side of this exploitation. We've had some [inaudible 00:00:36] service attacks, and they asked the team, researching through, they saw there's also a Linux variant as well, and that kind of piqued their interest.

Dave Bittner: That's Christopher Doman, cofounder and CTO at Cado Security. The research we're discussing today is titled "Cerber Ransomware: Dissecting the Three Heads." [ Music ] Well, let's start with some real fundamentals here. You mentioned the Windows variant, which I suppose is the more well-known version of this. Can you describe to us, what's the background and history of this particular ransomware package?

Christopher Doman: Sure. So the ransomware in question is called Cerber. It's actually pretty old, first came out around 2016. It's kind of interesting. It's one of the early ransomware-as-a-service variants. So you can pay on the Russian Language Forum, about $500, get a copy of Cerber, and then every time you encrypt someone with that, or ransom someone with that, about 5% of the money that you extorted from your victims will also go to the operator of that ransomware. Then going forwards a bit to end of last year, there's some attacks against Atlassian Confluence, so kind of documentation sites, and people were using a vulnerability that was still Cerber ransomware. And there's some good coverage at the time on those Windows attacks from people like [inaudible 00:01:57] and Trend Micro, but not much on the Linux side, which we kind of uncovered as we're going through this. Well, let's dig into, on the Linux side, then. What, what is the backstory there? When did it show up on the- on the- on our radar? So interestingly, there were a couple of shadows of this attack. So people were seeing that there was potentially some other exploitation URLs people were using, but nothing was really documented around those. I don't think anyone managed to get through to the kind of second stage of those attacks and worked out what they'd look like. On Linux, Nathan [inaudible 00:02:29], to his credit, did some pretty hardcore reversing. So he went through, and he found and then deployed on these vulnerable systems, via a couple of mechanisms I can go into in a bit, and it would do some interesting stuff around the ransoming.

Dave Bittner: Well, let's dig into the details, then. What exactly did you all uncover?

Christopher Doman: Sure. So the first days, the exploitation looks just the same as some of the other Windows exploitation we've seen before, against Atlassian's Confluence server and datacenter products. So there's this functionality where you can essentially update or change the configuration. By mistake, that wasn't authenticated, so anyone that hit that URL with the- the post-request in particular, could then do something with it, could actually create their own admin user in Confluence. The second stage of the attack is [inaudible 00:03:12] web shell, so some functionality, like you run commands against that system. Interestingly, you actually, essentially upload the plugin, so it's a plugin in your installation called web shell or something like that. And you would then use that to install the malware. In this case, it worked with two stages, so the first stage, we basically check around some logs, check it was installed correctly. We would then download the second stage, and maybe they want to protect their ransomware, which actually do the ransoming. It would go through, it would encrypt the files, kind of what you would expect, because, quite directly, this Confluence probe doesn't run as an administrative user by default. It won't be able to encrypt every single file. It would do a couple of things to make sure it would still go through, but basically you end up, as you expect, with a couple of notes saying, please pay us in Bitcoin and a bunch of files are ransomed.

Dave Bittner: One of the things you highlight in the research is the fact that this is executed using C++, and that that's sort of falling by the wayside when it comes to Linux?

Christopher Doman: Yeah, that's right. Far more popular these days is Rust or Python. It's one thing that's kind of a wider development practice is where, I think, most modern developers don't start learning C++ anymore. But also, Rust and Python are great at being a little bit more cross-platform. So you can write your malware once, go run it across more environments, plenty a bit more stable as well, but some of these kind of more old-school C++ variants weren't. But again, this all goes back to Cerber being a pretty old piece of tech, actually. So, yeah, it's almost 10 years old now, the original variants of Cerber.

Dave Bittner: And who do we suppose is behind Cerber? Do we know?

Christopher Doman: So it's interesting because of that ransomware-as-a-service operation, there's two parts. This one Cerber is actually running the infrastructure, correcting that malware. And then secondly, whoever's doing those attacks. So if you go back to the start of Cerber, there is a way better attribution then, than more recently. It was first sold to Russian Language Forums. There's a good article by SensCy where they talk about this, and they were saying, look, here's a new ransomware. Please try it out. I'll give you a discount if you're one of the first people to use it. So Russian Language Forums would, essentially contractors or affiliates, then buying it from those people, then deploying it. In terms of the attribution on this individual attack, we don't actually know. We did try and look around, but we couldn't find much, given the, what we really get is a ransomware and an email address saying, now send us the money. [ Music ]

Dave Bittner: We'll be right back. [ Music ] And what are your recommendations, then, for folks to best protect themselves here?

Christopher Doman: Well, there's a couple of things. Obviously, patch. Do you actually update that server? There, the updated version, which hasn't got the vulnerability in it, has been around for a few months now. But it's also much more than that as well. If you look at Atlassian's official documentation, they say, talk to your security team, or if you don't have one, please get one.

Dave Bittner: [Laughter].

Christopher Doman: Which is- I know, it's phrased in an interesting way.

Dave Bittner: Practical, [laughter].

Christopher Doman: Yeah, or Australian. I am too, so maybe it's just direct.

Dave Bittner: [Laughter], I see.

Chrstopher Doman: The really key point is that you have to actually investigate the infection after it's happening, because you need to work out what's happened. For one thing, if you simply just go and, you know, delete the ransomware and restore from the backup, that doesn't necessarily fix the problem. You check to make sure that plugin, that web shell, isn't still installed. Otherwise you're just going to get re-ransomed again straightaway. And then we haven't seen it in these attacks, but there are a few that we use in this vulnerability. It's also good to find out if there's stolen things like credentials. Are they going to move to other systems? You know, other kind of things that ideally you'd be checking into, if you have those kind of capabilities.

Dave Bittner: It's interesting to me, as you mention, you know, how long this ransomware has been around. I mean, it's- is it fair to say, I mean, it's tried and true, and that's been why it has stuck around as long as it has?

Christopher Doman: Yeah, I guess so. I mean, it's tried and tested. It works across multiple operating systems. I've seen it with Linux. I think also it's a pretty cheap piece of ransomware too. If you can buy-in at $400, and then they're asking for $2000 payment, you know, your ROI there, your return on investment's pretty fast. So this isn't, kind of, big game ransomware. I know you did a recent episode on some of those healthcare ransomwares, with some crazy numbers of damage and impact there. This is more targeting kind of SNBs that might be running this software most of the time.

Dave Bittner: Yeah, it's- it's a fascinating subgroup, I guess. It's- I- I liken it to almost being like a nuisance ransomware. You know, it's probably not going to bring down the business, but for the people who are operating it, there's still money to be made.

Christopher Doman: Yeah, I think that's entirely fair, these servers generally are the most key systems. They're not exactly a manufacturing line. They're- they're basically documentation, but there might be some sensitive things in there. So maybe the impact isn't high enough to justify a massive ransom. You normally see those when someone takes down an entire network and they spend maybe weeks going around, trying to find all the key systems, deleting the backups, et cetera. In this case, this is pretty much spray and hope for the best. At the time this vulnerability came out, there were about 5000 vulnerable systems when it first came out. And quite quickly we realized this is going on. So if you hit 5000 systems, maybe half of those, the ransomware successfully exploits against, and then maybe 10% pay. That money still adds up, but it's not, like you say, maybe it's more of a nuisance than a- a massive kind of campaign. [ Music ]

Dave Bittner: Our thanks to Christopher Doman from Cado Security for joining us. The research is titled "Cerber Ransomware: Dissecting the Three Heads." We'll have a link in the show notes. [ Music ] [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]