Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Essential information
- Published
- 19/05/2025 08:41
- Modified
- 21/05/2025 21:46
- Tags
- 2025-05-19 CVE-2020-1472 CVE-2021-34527 CVE-2023-22527 confluence elpaco-team metasploit mimikatz ransomware
- Related entities
- 4 vulnerabilities (cve), 33 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware
Description
A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like Mimikatz. They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, on key servers approximately 62 hours after initial access. While ransomware was deployed and some logs deleted, no significant data exfiltration was observed.