216.73.217.172

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

· Published 19/05/2025 08:41 · Modified 21/05/2025 21:46

Export JSON

Essential information

Published
19/05/2025 08:41
Modified
21/05/2025 21:46
Tags
2025-05-19 CVE-2020-1472 CVE-2021-34527 CVE-2023-22527 confluence elpaco-team metasploit mimikatz ransomware
Related entities
4 vulnerabilities (cve), 33 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware

Description

A threat actor exploited an unpatched server using , gaining initial access. They used for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like . They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of , a Mimic variant, on key servers approximately 62 hours after initial access. While was deployed and some logs deleted, no significant data exfiltration was observed.

External references