Cerber ransomware has resurfaced and is now targeting Confluence and GitLab servers. The group was first seen in 2016 and gradually disappeared in 2019. The ransomware's activity was discovered by MalwareHunterTeam and Tencent Security.

As of now, hundreds of servers have been hit; it reflects 404 errors when a user attempts to log in. All the files in the affected servers will be encrypted with a .locked extension, and the ransom note is a file named __$$RECOVERY_README$$__.html among them**.**

According to Emsisoft CTO Fabian Wosar, the new version of Cerber has a different code from their operations in 2016. While the older versions had Windows CryptoAPI libraries, the recent ones have Crypto++

BleepingComputer assessed the ransom note of a few victims and found that Cerber now demands ransom ranging from $1,000 to $3,000 within 5 days. If the payment is not met within the time limit, the amount rises to $4000.The group only takes transactions in bitcoin and offers one free decryption of a file to show that the Cerber Decryption tool works.

Security researchers believe that a new threat actor has adopted just the name Cerber since they did not have a Linux variant before, and there is no similarity in code, ransom note, or the payment site.

Remote Execution Code

Tencent Researchers issued an alert for Cerber ransomware that exploits CVE-2021-26084 to target Atlassian Confluence and CVE-2021-22205 to target GitLab.

• CVE-2021-26084- High severity vulnerability with a CVSS rating of 9.8 is an Object Graph Navigation Language injection attack that allows threat actors to take complete control and execute arbitrary code on Confluence servers.
• CVE-2021-22205- The high severity vulnerability takes advantage of certain endpoints in Gitlab that do not need authorization; attackers can abuse the image upload function to carry out remote code execution. This vulnerability will lead to a full compromise of the server once exploited.

Their report also noted that Cerber ransomware mainly targeted China, the United state and Germany. Since both CVEs have publicly released PoC and technical details, it is easier for attackers to compromise servers.