Cerber targeting organizations with publicly available exploits


#### THREAT LEVEL: Red. For a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/Cerber-targeting-organizations-with-publicly_TA202158.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FMicrosoft-could-not-patch-this-vulnerability_TA202150-1.pdf&embedded=true&chrome=false&dov=1> "View this pdf file" ) Cerber, ransomware that mysteriously vanished in 2019, has reappeared with a new encryption. The new cerber includes fresh source code and makes use of the new library Crypto+++, whereas the previous form made use of Windows CryptoAPI libraries. Cerber is utilizing the following two vulnerabilities: -CVE-2021-26084: a remote code execution vulnerability that allows an attacker to execute arbitrary code in Atlassian Confluence Servers and Datacenters versions 6.13.22, 6.14.0-7.4.10, 7.5.0-7.11.5, 7.12.0-7.12.4. It has been fixed in versions 6.13.23, 7.4.11, 7.11.6, and 7.12.5. -CVE-2021-22205: GitHub Gitlab community and enterprise versions 11.9.0-13.8 are affected by a command execution vulnerability that can be exploited by uploading an image that runs via the ExifTool of GitLab Workhorse and achieving remote code execution via a specially designed file. It has been fixed in version 13.9. The new Cerber ransomware uses either of the two vulnerabilities mentioned above and then enters victims' systems and encrypts their files. Cerber ransomware places the ransom note in the file **__$$RECOVERY_README$$__.html**, and all the encrypted files have an extension of .locked. Organizations can patch both vulnerabilities by upgrading their systems to fixed versions. The TTP's used by **Cerber** includes: TA0002 - Execution T1059 - Command and Scripting Interpreter T1059.003 - Command and Scripting Interpreter: Windows Command Shell TA0007 - Discovery T1012 - Query Registry T1082 - System Information Discovery #### Vulnerability Details ![](https://www.hivepro.com/wp-content/uploads/2021/12/Cerber-targeting-organizations-with-publicly_VM-1024x361.png) #### Indicators of Compromise(IoCs) ![](https://www.hivepro.com/wp-content/uploads/2021/12/Cerber-targeting-organizations-with-publicly_IoC-1024x276.png) #### Patch Links <https://jira.atlassian.com/browse/CONFSERVER-67940> #### References <https://gitlab.com/gitlab-org/gitlab/-/issues/327121> <https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html> <https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html> <https://otx.alienvault.com/pulse/61af78ee529faac40b2de15e/related> <https://app.any.run/tasks/c59f562e-4a61-459c-b0a3-9890c412b0ea/> <https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/>