A sophisticated ransomware attack leveraging a critical Atlassian Confluence vulnerability (CVE-2023-22527, CVSS 10.0) has been uncovered, culminating in the deployment of LockBit Black ransomware across enterprise networks within two hours of initial compromise.<\/p>\n
The attackers orchestrated a multi-stage intrusion involving credential theft, lateral movement via RDP, and automated ransomware distribution using legitimate tools like PDQ Deploy.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhPSfH55g7Jwwb1oYvTyubqzApRgsFPJ5YhW-ZCVvD02yYQfu00yEP3Rr8pQ7_mAb_tY1gQuhcdXe5646Tp1dTfcj0WhDq_zDS9bglFhb4iQ6qB-QxxdeFn47KdC7lQoT-DmVIlyctoFQGeMzaHn5z7CYZ-kYUebjPAHBcO6tLRj4QGHaBKjMLTvZ4l44k\/s16000\/Lateral%2520movement%2520via%2520RDP%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
The breach began with the exploitation of CVE-2023-22527, a server-side template injection flaw allowing unauthenticated remote code execution<\/a> (RCE).<\/p>\n Attackers injected malicious Object-Graph Navigation Language (OGNL) expressions via HTTP POST requests to While the cybersecurity analysts at The DFIR Report noted<\/a> that the initial reconnaissance commands like After establishing a Meterpreter session via a malicious HTA file, the attackers pivoted to AnyDesk for persistent access.<\/p>\n They disabled defenses by typing \u201cvirus\u201d into the Windows Start menu to deactivate Defender and cleared logs using PowerShell:-<\/p>\n Post-exfiltration, the hackers deleted tools like Mimikatz<\/a> and Rclone to erase traces:-<\/p>\n LockBit was deployed using PDQ Deploy, a legitimate IT tool, to execute a batch script ( Data exfiltration preceded encryption, with 1.5+ GB transferred to MEGA.io via Rclone. The threat actors\u2019 infrastructure, linked to Russian IPs and Flyservers S.A., reflects tactics previously associated with LockBit<\/a> affiliates.<\/p>\n This incident depicts the critical need to patch Confluence servers and audit remote access tools.<\/p>\n The attackers\u2019 rapid progression from initial access to ransomware deployment shows the importance of real-time endpoint monitoring<\/a> and credential hygiene.<\/p>\n The post Hackers Exploited Confluence Server Vulnerability To Deploy LockBit Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6bRCkwmI1-dQqk-Zsjqu5V4EvWsTUOvW2_NWYJoSBrxa3NsBHc4r6_Vs38XYvMsqXkqcOP_Rop0uAAI4w_M5sqBX4-P-yLJFWsSQbrW05uh0zknt7L77Db0UOeBEzTsDqgIB2258UYGXaEu0msOk2N1703-UghSqipfDx4skRM-yYoH5IV6K313U4ECQ\/s16000\/RCE%2520Exploit%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
\/template\/aui\/text-inline.vm<\/code>, enabling command execution as the NETWORK SERVICE<\/code> account.<\/p>\nnet user<\/code> and whoami<\/code> were executed through a Python script, as evidenced by the python-requests\/2.25<\/code> user-agent in server logs.<\/p>\nPOST \/template\/aui\/text-inline.vm HTTP\/1.1 \nUser-Agent: python-requests\/2.25 \n... \nContent: ...freemarker.template.utility.Execute().exec({\"whoami\"}) <\/code><\/pre>\nwevtutil el | ForEach-Object { wevtutil cl \"$_\" } <\/code><\/pre>\nC:tempmimikatzx64mimikatz.exe \nC:temprclonerclone.exe <\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEimVTdsP7Mh0RMOvTvNlXYdZdGJc4nlF_OorASpnaYERXnOpC5xP3CfSfXPU7fDGF71X4LU1_8LEj7SQcIYVHk3rzJ0BtaSwCEAtvwQMu-SPhWDuAWhDQ_lfLdDW8Gp0BqQ1vYdkfIyaX7sdXtU6czpjY0jKPUjn4qpo-eOTXW8S9AMTFxVDRwTVj3bLZU\/s16000\/Attacker%2520disabling%2520Windows%2520Defender%2520via%2520GUI%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
Impact and Ransomware Deployment<\/strong><\/h2>\n
asd.bat<\/code>) across networked devices. The script triggered ransomware encryption, appending the .rhddiicoE<\/code> extension to files and modifying desktop wallpapers with LockBit\u2019s signature imagery.<\/p>\n@echo off \nstart cmd \/k \"C:tempLBB.exe -path \\TARGETC$\" <\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7YHF1FSYS27GCdktjezfpnT_4F6afl5VWkEvu4-s_kdrr4kAW27cJjdIgfZITIManor_YbJcrJ4hZOt1JajUKdh84BHw-J8rMXgoDdUKyR38M_-ehKD6cuKR-Pv7K3rrTnQLWDAUIZivv0gSa-2zm8Sj0hog6gcqbhS_LniU_w1hu_WmFgrU3uQwuyd0\/s16000\/LockBit%25E2%2580%2599s%2520desktop%2520wallpaper%2520alteration%2520post-encryption%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting \u2013\u00a0Register Here<\/a><\/code><\/strong><\/p>\n