Ransomware deployed via Atlassian Confluence exploit

Vulnerable Atlassian Confluence servers impacted by the template injection flaw, tracked as CVE-2023-22527, have been subjected to intrusions that facilitated the distribution of a Mimic ransomware variant within almost 62 hours in June, Cyber Security News reports.

Initial exploitation of the security bug enabled arbitrary command execution, Metasploit payload deployment, AnyDesk installation, and command-and-control channel creation, according to The DFIR Report. After elevating privileges, threat actors proceeded to leverage Mimikatz to pilfer credentials, activate remote desktop protocol, and perform lateral movement before injecting the Mimic ransomware-based ELPACO-team payload, said researchers. Additional analysis showed that persistence on targeted systems has been achieved through the creation of the "noname" local administration account three times throughout the process potentially in a bid to prevent disruption amid remediation efforts. Windows registry settings and firewall rules have also been altered by attackers to enable RDP and circumvent typical authentication methods.