Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploited CVE-2023-22527 in Confluence to execute arbitrary commands (“The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server…”).
• [T1543.003] Windows Service – Installed and ran AnyDesk as a Windows service for persistence (“This initial AnyDesk binary was then executed via the command line… to install AnyDesk on the system as a service…”).
• [T1136] Create Account – Created local and domain accounts (“created a new user account named ‘noname’ with the password ‘Slepoy_123’…”).
• [T1068] Exploitation for Privilege Escalation – Used Named Pipe Impersonation (RPCSS variant) to escalate privileges to SYSTEM (“The final method observed, which worked, was the Named Pipe Impersonation (RPCSS Variant)…”).
• [T1003.001] LSASS Memory – Harvested credentials by dumping LSASS memory with Mimikatz (“The mimikatz.exe process accessed the Local Security Authority Subsystem Service (lsass.exe) to access credentials…”).
• [T1047] Windows Management Instrumentation – Used wmiexec.exe for lateral movement and executing commands remotely (“Leveraging the compromised domain administrator credentials… utilizing Impacket wmiexec…”).
• [T1021.001] Remote Desktop Protocol – Established RDP connections to remote servers for lateral movement (“…using RDP to move laterally to a file server as well as a backup server…”).
• [T1105] Ingress Tool Transfer – Transferred tools such as Mimikatz, ProcessHacker, and Netscan onto compromised hosts (“The threat actor dropped tools focused on credential access, including Mimikatz, ProcessHacker…”).
• [T1562.001] Disable or Modify Tools – Used Defender Control to disable Windows Defender (“…executed Defender Control, an executable… to stop Windows Defender Antivirus Service…”).
• [T1562.004] Disable or Modify System Firewall – Modified firewall rules to allow RDP connections (“…adjusted Windows Firewall settings using netsh advfirewall commands…”).
• [T1486] Data Encrypted for Impact – Deployed ELPACO-team ransomware variant to encrypt files (“…deployed ELPACO-team.exe, identified as a variant of Mimic ransomware…”).
• [T1071] Application Layer Protocol – Used raw TCP sockets for Metasploit C2 communication (“The Command and Control traffic to the Metasploit server used raw TCP sockets…”).
• [T1112] Modify Registry – Modified registry keys to persist and enable features like RDP and disable Defender (“…setting the value of the registry Windows Run key… as well as disabling Defender…”).
• [T1012] Query Registry – Queried registry to discover configured RDP port and settings (“…querying the registry to identify the configured RDP port…”).
• [T1057] Process Discovery – Used enumeration commands to identify running processes and environment details (“Many of the discovery commands were issued as a direct result of the initial Confluence exploit…”).
• [T1059.003] Windows Command Shell – Executed batch files and shell commands such as u1.bat to add users and enable services (“…batch file u1.bat… to create a new user account and make it a local admin…”).
• [T1219] Remote Access Software – Used AnyDesk for interactive remote access sessions (“The threat actor used AnyDesk’s Direct Connection feature…”).