A sophisticated ransomware attack leveraging a critical Atlassian Confluence vulnerability (CVE-2023-22527, CVSS 10.0) has been uncovered, culminating in the deployment of LockBit Black ransomware across enterprise networks within two hours of initial compromise. The attackers orchestrated a multi-stage intrusion involving credential theft, lateral movement via RDP, and automated ransomware distribution using legitimate tools like PDQ Deploy. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attackers’ rapid progression from initial access to ransomware deployment shows the importance of real-time endpoint monitoring and credential hygiene. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Attackers injected malicious Object-Graph Navigation Language (OGNL) expressions via HTTP POST requests to /template/aui/text-inline.vm, enabling command execution as the NETWORK SERVICE account. While the cybersecurity analysts at The DFIR Report noted that the initial reconnaissance commands like net user and whoami were executed through a Python script, as evidenced by the python-requests/2.25 user-agent in server logs. The script triggered ransomware encryption, appending the .rhddiicoE extension to files and modifying desktop wallpapers with LockBit’s signature imagery. LockBit was deployed using PDQ Deploy, a legitimate IT tool, to execute a batch script (asd.bat) across networked devices. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This incident depicts the critical need to patch Confluence servers and audit remote access tools.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Feb 2025 08:50:11 +0000