Hackers Exploited Confluence Server Vulnerability To Deploy LockBit Ransomware
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A sophisticated ransomware attack leveraging a critical Atlassian Confluence vulnerability (CVE-2023-22527, CVSS 10.0) has been uncovered, culminating in the deployment of LockBit Black ransomware across enterprise networks within two hours of initial compromise.
The attackers orchestrated a multi-stage intrusion involving credential theft, lateral movement via RDP, and automated ransomware distribution using legitimate tools like PDQ Deploy.
.webp)
Lateral movement via RDP (Source – The DFIR Report)
The breach began with the exploitation of CVE-2023-22527, a server-side template injection flaw allowing unauthenticated remote code execution (RCE).
.webp)
RCE Exploit (Source – The DFIR Report)
Attackers injected malicious Object-Graph Navigation Language (OGNL) expressions via HTTP POST requests to /template/aui/text-inline.vm, enabling command execution as the NETWORK SERVICE account.
While the cybersecurity analysts at The DFIR Report noted that the initial reconnaissance commands like net user and whoami were executed through a Python script, as evidenced by the python-requests/2.25 user-agent in server logs.
POST /template/aui/text-inline.vm HTTP/1.1 User-Agent: python-requests/2.25 ... Content: ...freemarker.template.utility.Execute().exec({"whoami"})
After establishing a Meterpreter session via a malicious HTA file, the attackers pivoted to AnyDesk for persistent access.
They disabled defenses by typing “virus” into the Windows Start menu to deactivate Defender and cleared logs using PowerShell:-
wevtutil el | ForEach-Object { wevtutil cl "$_" }
Post-exfiltration, the hackers deleted tools like Mimikatz and Rclone to erase traces:-
C:\temp\mimikatz\x64\mimikatz.exe C:\temp\rclone\rclone.exe
.webp)
Attacker disabling Windows Defender via GUI (Source – The DFIR Report)
Impact and Ransomware Deployment
LockBit was deployed using PDQ Deploy, a legitimate IT tool, to execute a batch script (asd.bat) across networked devices. The script triggered ransomware encryption, appending the .rhddiicoE extension to files and modifying desktop wallpapers with LockBit’s signature imagery.
@echo off start cmd /k "C:\temp\LBB.exe -path \\TARGET\C$\"
.webp)
LockBit’s desktop wallpaper alteration post-encryption (Source – The DFIR Report)
Data exfiltration preceded encryption, with 1.5+ GB transferred to MEGA.io via Rclone. The threat actors’ infrastructure, linked to Russian IPs and Flyservers S.A., reflects tactics previously associated with LockBit affiliates.
This incident depicts the critical need to patch Confluence servers and audit remote access tools.
The attackers’ rapid progression from initial access to ransomware deployment shows the importance of real-time endpoint monitoring and credential hygiene.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Hackers Exploited Confluence Server Vulnerability To Deploy LockBit Ransomware
Author: Tushar Subhra DuttaA sophisticated ransomware attack leveraging a critical Atlassian Confluence vulnerability (CVE-2023-22527, CVSS 10.0) has been uncovered, culminating in the deployment of LockBit Black ransomware across enterprise networks within two hours of initial compromise.
The attackers orchestrated a multi-stage intrusion involving credential theft, lateral movement via RDP, and automated ransomware distribution using legitimate tools like PDQ Deploy.
Lateral movement via RDP (Source – The DFIR Report)The breach began with the exploitation of CVE-2023-22527, a server-side template injection flaw allowing unauthenticated remote code execution (RCE).
RCE Exploit (Source – The DFIR Report)Attackers injected malicious Object-Graph Navigation Language (OGNL) expressions via HTTP POST requests to /template/aui/text-inline.vm, enabling command execution as the NETWORK SERVICE account.
While the cybersecurity analysts at The DFIR Report noted that the initial reconnaissance commands like net user and whoami were executed through a Python script, as evidenced by the python-requests/2.25 user-agent in server logs.
POST /template/aui/text-inline.vm HTTP/1.1 User-Agent: python-requests/2.25 ... Content: ...freemarker.template.utility.Execute().exec({"whoami"})
After establishing a Meterpreter session via a malicious HTA file, the attackers pivoted to AnyDesk for persistent access.
They disabled defenses by typing “virus” into the Windows Start menu to deactivate Defender and cleared logs using PowerShell:-
wevtutil el | ForEach-Object { wevtutil cl "$_" }
Post-exfiltration, the hackers deleted tools like Mimikatz and Rclone to erase traces:-
C:\temp\mimikatz\x64\mimikatz.exe C:\temp\rclone\rclone.exe
Attacker disabling Windows Defender via GUI (Source – The DFIR Report)Impact and Ransomware Deployment
LockBit was deployed using PDQ Deploy, a legitimate IT tool, to execute a batch script (asd.bat) across networked devices. The script triggered ransomware encryption, appending the .rhddiicoE extension to files and modifying desktop wallpapers with LockBit’s signature imagery.
@echo off start cmd /k "C:\temp\LBB.exe -path \\TARGET\C$\"
LockBit’s desktop wallpaper alteration post-encryption (Source – The DFIR Report)Data exfiltration preceded encryption, with 1.5+ GB transferred to MEGA.io via Rclone. The threat actors’ infrastructure, linked to Russian IPs and Flyservers S.A., reflects tactics previously associated with LockBit affiliates.
This incident depicts the critical need to patch Confluence servers and audit remote access tools.
The attackers’ rapid progression from initial access to ransomware deployment shows the importance of real-time endpoint monitoring and credential hygiene.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
