The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution.
Using this access, the threat actor executed a consistent sequence of commands (installing AnyDesk, adding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a playbook.
Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials.
The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, approximately 62 hours after the initial Confluence exploitation.
While ransomware was deployed and some event logs were deleted, no significant exfiltration of data was observed during the intrusion.
This case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was originally published as a Threat Brief to customers in October 2024.
The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.
