Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

SUMMARY :

A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like Mimikatz. They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, on key servers approximately 62 hours after initial access. While ransomware was deployed and some logs deleted, no significant data exfiltration was observed.

OPENCTI LABELS :

ransomware,mimikatz,confluence,cve-2023-22527,cve-2021-34527,cve-2020-1472,metasploit,elpaco-team


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware