A sophisticated ransomware attack leveraging a critical Atlassian Confluence vulnerability (CVE-2023-22527, CVSS 10.0) has been uncovered, culminating in the deployment of LockBit Black ransomware across enterprise networks within two hours of initial compromise.
The attackers orchestrated a multi-stage intrusion involving credential theft, lateral movement via RDP, and automated ransomware distribution using legitimate tools like PDQ Deploy.
.webp)
The breach began with the exploitation of CVE-2023-22527, a server-side template injection flaw allowing unauthenticated remote code execution (RCE).
.webp)
Attackers injected malicious Object-Graph Navigation Language (OGNL) expressions via HTTP POST requests to /template/aui/text-inline.vm, enabling command execution as the NETWORK SERVICE account.
While the cybersecurity analysts at The DFIR Report noted that the initial reconnaissance commands like net user and whoami were executed through a Python script, as evidenced by the python-requests/2.25 user-agent in server logs.
POST /template/aui/text-inline.vm HTTP/1.1
User-Agent: python-requests/2.25
...
Content: ...freemarker.template.utility.Execute().exec({"whoami"}) After establishing a Meterpreter session via a malicious HTA file, the attackers pivoted to AnyDesk for persistent access.
They disabled defenses by typing “virus” into the Windows Start menu to deactivate Defender and cleared logs using PowerShell:-
wevtutil el | ForEach-Object { wevtutil cl "$_" } Post-exfiltration, the hackers deleted tools like Mimikatz and Rclone to erase traces:-
C:tempmimikatzx64mimikatz.exe
C:temprclonerclone.exe .webp)
Impact and Ransomware Deployment
LockBit was deployed using PDQ Deploy, a legitimate IT tool, to execute a batch script (asd.bat) across networked devices. The script triggered ransomware encryption, appending the .rhddiicoE extension to files and modifying desktop wallpapers with LockBit’s signature imagery.
@echo off
start cmd /k "C:tempLBB.exe -path \TARGETC$" .webp)
Data exfiltration preceded encryption, with 1.5+ GB transferred to MEGA.io via Rclone. The threat actors’ infrastructure, linked to Russian IPs and Flyservers S.A., reflects tactics previously associated with LockBit affiliates.
This incident depicts the critical need to patch Confluence servers and audit remote access tools.
The attackers’ rapid progression from initial access to ransomware deployment shows the importance of real-time endpoint monitoring and credential hygiene.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here