LockBit ransom note | Image: The DFIR Report
Security researchers at The DFIR Report have uncovered a highly coordinated attack that leveraged a critical remote code execution (RCE) vulnerability in Confluence (CVE-2023-22527) to deploy LockBit ransomware in under two hours.
The attack began with the exploitation of CVE-2023-22527, a server-side template injection vulnerability in Confluence that allowed an unauthenticated attacker to execute arbitrary commands. The initial access was traced to an IP address (92[.]51.2.22), where the attacker executed system discovery commands such as net user and whoami.
According to The DFIR Report, “The first indication of threat actor activity was the execution of system discovery commands, including net user and whoami.”
Shortly after gaining access, the attacker attempted to download AnyDesk via curl, but the attempt initially failed. They then resorted to mshta.exe to execute a remote HTA file containing a Metasploit stager, successfully establishing command and control (C2).
Once AnyDesk was installed, the threat actor configured it with a preset password, ensuring persistent remote access. “Once installed, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access,” the report noted.
The attacker moved swiftly, executing process enumeration commands to identify other malicious actors and terminate competing processes. During this phase, they inadvertently killed their own Metasploit session, forcing them to rerun the exploit and reestablish C2.
Using Mimikatz, the attacker successfully extracted credentials and moved laterally via RDP to a backup server, where they ran a PowerShell script (Veeam-Get-Creds-New.ps1) to steal Veeam credentials. These credentials facilitated access to a file share server, from which they exfiltrated data using Rclone to MEGA.io.
Once the attacker had full control over the environment, they proceeded to deploy LockBit ransomware manually and via automated methods:
- Manual Execution: LockBit was manually executed on a backup server and file share server.
- Automated Deployment: PDQ Deploy, a legitimate enterprise deployment tool, was used to push the ransomware binary across the network via SMB.
- Secondary Encryption Wave: A failsafe batch script was executed on an Exchange server to encrypt any missed targets.
“Using PDQ Deploy, the threat actors distributed the ransomware binary and a batch script to remote hosts over SMB,” the researchers detailed.
For a detailed breakdown of the attack timeline and technical indicators, visit The DFIR Report.
Related Posts:
- Cryptojacking Campaign Exploits Atlassian Confluence CVE-2023-22527 Vulnerability
- CVE-2023-22527 (CVSS 10): Critical RCE Flaw in Confluence Data Center and Server
- Researchers Published Technical Details for Atlassian Confluence RCE (CVE-2023-22527)
- Godzilla Backdoor: A Stealthy Threat Targeting Atlassian Confluence Flaw (CVE-2023-22527)
- Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
