LockBit Ransomware Strikes: Exploiting a Confluence Vulnerability

In a swift and highly coordinated attack, LockBit ransomware operators exploited a critical remote code execution vulnerability (CVE-2023-22527) in Atlassian Confluence servers, targeting an exposed Windows server.

This vulnerability, rated CVSS 10.0, enabled unauthenticated attackers to execute arbitrary commands by injecting malicious Object-Graph Navigation Language (OGNL) expressions into improperly sanitized template files.

The attack commenced with system discovery commands, such as net user and whoami, to enumerate user accounts and gather system details.

The attackers leveraged this initial foothold to deploy AnyDesk for persistent access and used the Metasploit framework to establish command-and-control (C2) channels.

Within minutes, they escalated privileges by creating a new local administrator account and proceeded to disable security defenses, including Windows Defender.

Rapid Lateral Movement and Exfiltration

Using Remote Desktop Protocol (RDP), the attackers moved laterally across the network, targeting key systems such as backup servers and file shares.

According to the DFIR Report, they employed tools like Mimikatz to extract credentials and SoftPerfect’s NetScan for network enumeration.

On the backup server, they executed PowerShell scripts to retrieve sensitive Veeam credentials and accessed additional systems using these compromised accounts.

Data exfiltration began just over an hour into the intrusion. The attackers used Rclone, a legitimate cloud storage tool, to transfer sensitive files to MEGA.io.

To cover their tracks, they cleared Windows event logs and deleted files associated with their operations.

LockBit Ransomware Deployment

Approximately two hours after initial access, the attackers launched the LockBit ransomware payload.

Initially, ransomware binaries were executed manually on specific servers via active RDP sessions.

To ensure widespread encryption, they utilized PDQ Deploy, an enterprise software deployment tool, automating the distribution of ransomware binaries across multiple endpoints via SMB shares.

A secondary encryption wave was triggered by mounting remote systems’ C$ shares as a failsafe mechanism.

The attack culminated in encrypted files bearing the .rhddiicoE extension and ransom notes left on compromised systems.

The attackers also altered desktop backgrounds as part of their ransomware execution process.

• Time-to-Ransom (TTR): The entire operation—from initial access to full ransomware deployment—was completed in just over two hours, showcasing exceptional speed and precision.
• Sophisticated Toolset: The threat actors employed a wide array of tools, including Mimikatz for credential theft, Metasploit for C2 operations, and PDQ Deploy for automated ransomware distribution.
• Exploitation Details: The attack exploited CVE-2023-22527 through crafted HTTP POST requests targeting vulnerable endpoints in Confluence servers.

This incident underscores the critical importance of patching known vulnerabilities promptly and implementing robust monitoring mechanisms to detect anomalous activity early in its lifecycle.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!