Digital Boogeymen Unleashed: The Terrifying Tango of Ransomware and Trojans

Digital boogeymen are exploiting ransomware exploitation vulnerabilities, doing the Monster Mash on Atlassian Confluence and Apache ActiveMQ. Their party favors? The feared Cerber ransomware and SparkRAT trojan. It’s Halloween all over again, but the treat is missing. Instead, we’re left with costly ransoms and data losses. Trick or treat, indeed!

Hot Take:

Well, it seems like the digital boogeymen are at it again! This time, they’re doing the Monster Mash on Atlassian Confluence and Apache ActiveMQ. And boy, are they having a ball exploiting some pretty serious vulnerabilities. They’ve even brought their favorite party favors – Cerber ransomware and SparkRAT trojan. It’s Halloween all over again, only this time, the trick is on us and the treat is…well, there’s no treat. Just costly ransoms and data losses. Yikes!

Key Points:

  • Ransomware groups are exploiting serious flaws in Atlassian Confluence and Apache ActiveMQ.
  • These vulnerabilities have been used to deploy the feared Cerber ransomware.
  • Atlassian upgraded the severity of their flaw from 9.8 to a perfect 10.0 (ouch!).
  • Exploitation attempts are coming from France, Hong Kong, and Russia.
  • A severe remote code execution flaw in Apache ActiveMQ is being used to deliver a Go-based remote access trojan called SparkRAT and a ransomware variant similar to TellYouThePass.

Need to know more?

The Boogeyman's New Toys

Rapid7, a cybersecurity firm, has been keeping a close eye on these digital troublemakers. They've noticed that these groups are exploiting CVE-2023-22518 and CVE-2023-22515 in various customer environments. And the result? The deployment of Cerber (or C3RB3R if you're hip) ransomware. And what's worse is these vulnerabilities are critical. They let threat actors create unauthorized Confluence administrator accounts and lead to data loss. Spooky, right?

The Perfect Score

Atlassian has now updated its advisory, marking the flaw's severity as a whopping 10.0, the highest possible score. The reason? The scope of the attack has changed. The attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers. And what do they get? A malicious payload hosted on a remote server, leading to the ransomware payload being executed on the compromised server. It's like the digital version of a haunted house!

From Russia, with Love

GreyNoise has gathered data showing that the exploitation attempts are coming from three different IP addresses. And where are these masked villains located? France, Hong Kong, and Russia. A truly international gang of digital misfits.

More Tricks, Less Treats

And let's not forget about Apache ActiveMQ. Arctic Wolf Labs disclosed that a severe remote code execution flaw (CVE-2023-46604, another perfect 10.0 score) is being weaponized to deliver a Go-based remote access trojan called SparkRAT. Not only that, but it is also being used to deliver a ransomware variant similar to TellYouThePass. The diversity of threats just shows the need for rapid remediation of this vulnerability.

Tags: Apache ActiveMQ vulnerabilities, Atlassian Confluence flaws, Cerber ransomware, data loss, Remote Code Execution, SparkRAT trojan, TellYouThePass Ransomware