Cerber Ransomware Exploits Confluence Vulnerability

Industry: N/A | Level: Tactical | Source: Sophos

Sophos tracking of Confluence vulnerability CVE-2022-26134, has discovered the attack vector is shrinking with less vulnerable Confluence servers being identified. However, two exploit attempts were observed from Sophos targeting Windows servers with the objective to deploy Cerber ransomware. The activity observed involved the attackers running curl and PowerShell commands on the affected host. The PowerShell command was initially encoded containing instructions to download and execute a payload saved in the %temp% folder. The attack was unsuccessful and mitigated with no evidence of exfiltration or lateral movement.

Anvilogic Use Cases:

• Invoke-WebRequest Command
• Encoded Powershell Command
• Invoke-Expression Command
• Executable Process from Suspicious Folder