Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence servers exposed to the internet.

This exploit facilitated remote code execution (RCE), enabling attackers to gain initial access and establish a foothold within targeted networks.

The breach, first detected through network traffic from IP address 45.227.254.124 running a “whoami” command, quickly escalated as another IP, 91.191.209.46, deployed a Metasploit payload via Meterpreter, setting up a command-and-control (C2) channel.

This incident, detailed in a December 2024 DFIR Labs CTF report and originally shared as a Threat Brief in October 2024, underscores the persistent danger of unpatched systems in enterprise environments.

Critical Exploit Targets Unpatched Systems

The attackers executed a meticulously planned intrusion over several days, leveraging automation scripts to streamline their operations.

Within minutes of gaining access, they installed AnyDesk for persistent remote access, created a local admin account named “noname,” and enabled Remote Desktop Protocol (RDP) to ensure alternative entry points.

Their toolkit included credential-harvesting tools like Mimikatz, ProcessHacker, and Impacket’s Secretsdump, which allowed them to compromise domain administrator credentials through LSASS memory dumping and NTLM hash extraction.

Privilege escalation was achieved using named pipe impersonation (RPCSS variant) to obtain SYSTEM-level access, while failed attempts at exploits like Zerologon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527) highlighted their determination to expand control.

Multi-Stage Intrusion Culminates

On the third day, approximately 62 hours after the initial breach, the attackers deployed ELPACO-team ransomware, a variant of Mimic, targeting backup and file servers via RDP and SMB shares.

Notably, despite the encryption impact with files appended with the .ELPACO-team extension, no significant data exfiltration was observed, with only minimal data transfers (around 70 MB) recorded through AnyDesk sessions to the threat actor’s server.

The intrusion also involved extensive discovery and lateral movement, employing tools like SoftPerfect’s NetScan for network scanning and Impacket’s wmiexec for executing commands on domain controllers.

Defense evasion tactics included disabling Windows Defender using DefenderControl and deleting event logs to cover their tracks.

AnyDesk’s direct connection feature to a self-hosted server at 45.227.254.124 further aided in evading detection by bypassing standard relay servers.

The attackers’ reliance on Metasploit for initial C2, followed by a shift to AnyDesk for sustained operations, illustrates a strategic pivot to maintain access while minimizing exposure to network monitoring tools.

This case, analyzed by experts at DFIR Labs, serves as a stark reminder of the cascading risks from a single unpatched vulnerability, emphasizing the need for timely updates, robust monitoring with tools like Suricata (which flagged the Confluence exploit with SID 2050543), and layered defenses to thwart such multi-faceted threats.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!