Futaba _ Webs πΈπΈππΈπΈ
Confluence LockBit Ransomware πΈπΈππΈπΈ
Today's article is going to focus on the most recent ransomware data breach on the Confluence data center.
π Article π Glossary π Catalog π Home π Search Modeπ Article Glossary
πΈ Synopsis πΈ
Today's article is going to focus on the most recent ransomware data breach on the Confluence data center.
πΈ Article Topics πΈ
I'll be discussing the following topics in order: π Who is Confluence? π What is CVE-2023-22527? π What is Metasploit? π What is MimiKatz? π What is PDQ? π What is AnyDesk? π What is LockBit? π How is LockBit Ransomware? π What are SMB's? π What is Rclone? You can click on any of the topics to simply check that one out if it interests you! NOTE: Articles are read from LEFT to RIGHT via 2 columns! Read the first column all the way down and then move to the next one!
πΈ Key Links πΈ
Here's a quick run down on all the main links that are in the article in case you want to check them out first. π LinkedIn Version π CVE Report π My Metasploit Article π MimiKatz π PDQ π AnyDesk π TeamViewer π My Article on Ransomware π My Crypto Malware Source Code (DEMO) π Rclone
π Confluence LockBit Ransomware
Who is Confluence? πΈπΈππΈπΈ
Confluence is essentially a cloud based data center that specializes in centralized based cloud data backups, allowing various individuals to access it at a time.
This is NOT an exact analogy, BUT, a better way to think of it would be if I held files on my google drive and I was able to give certain people access and share that data with them. THAT, is what I mean by βcentralizedβ.
What is CVE-2023-22527? πΈπΈππΈπΈ
It's an RCE/RDP exploit that can be pulled off via OGNL injection which is a popular java based expression framework that can be found in the Confluence infrastructure.
The exploit takes advantage of the centralized aspect of the system, a SMB collective, that can be accessed by various companies that up and funnel all their data so they can share it with one another.
If a threat actor manages to leverage the system they'd be able to infect it with spoofed versions of the original that are obfuscated with malware, pivoting into a botnet and a lot more.
You can find out more about what I mean in this post here! from one of his official staff members that also does the same thing, where he defends TCM, but doesnβt disclose anything to clear up all the confusion thatβs been going on with them on their end. Repost with my overall thoughts for it can be found here!.
You can find out more about the CVE report in this article here!
What is Metasploit? πΈπΈππΈπΈ
Metasploit is an offensive security penetration testing framework that can be used for a variety of penetration testing methodologies: web application, networking, C&C/botneting, mobile hacking, etc. Itβs a multi-tool power house in case you havenβt noticed, and has left a legacy, where tools like SET, routersploit and even kali nethunter mimic in terms of overall terminal functional and design. It also has one of the best well maintained database archives of any and all exploits that exist in its database. The code written and stored in it is beyond our deserving.
In some cases it can be used to install malware on a system depending on how well the exploit is performed and the level of privileges on the system.
You can learn more about Metasploit in one of my past articles here! Full Patreon exclusive video in full details that can be purchased from me if you want to learn all the PRACTICAL basics really quickly!
What is MimiKatz? πΈπΈππΈπΈ
MimiKatz is a beloved and commonly used tool for hackers to leverage various credentials on a system, specifically Windows ones, allowing them to do stuff like: privilege escalation, pass the hash, essentially uncovering any plain text files that would have credentials, allowing threat actors to gain admin rights.
You can learn more about the tool here!
What is PDQ? πΈπΈππΈπΈ
It's essentially a tool that is used in order to install various files and software packages on a system.
Why's this bad? Well, for starters, if you manage to to leverage a system, you can install and upgrade any form of software you want on it remotely. In the hands of a threat actor you can infect a singular trusted system, even a redundant one, and install any and all needed tools, infecting a network even further as well as any SMB file shares it might contain like in this case.
You can find out more about PDQ here!
What is AnyDesk? πΈπΈππΈπΈ
Ever heard of "TeamViewer"? AnyDesk is just another form of a commercial GUI based RDP tool that can be used to access another system, making it seamless to install any and all forms of malware on a system.
Remember that little bit on how I explained that Confluence data centers are centralized and HOW they can be compromised?With AnyDesk, not only can you get a remote connection established to a system, BUT, you can also get a GUI based one, taking advantage of infrastructures that already use and or trust it in the process as well.
With AnyDesk, not only can you get a remote connection established to a system, BUT, you can also get a GUI based one, taking advantage of infrastructures that already use and or trust it in the process as well.
Using anydesk allows you to: Check for sensitive files using mimikatz more accurately, input admin credentials and give permissions for them, run PDQ, and a lot more. Think of it like LITERALLY being able to not only see someoneβs screen BUT, youβre able to control it as if you were there. The ultimate form of a pwned system.
You can find out more about AnyDesk here!
If you want to experiment with something free, simply check out TeamViewer!
What is LockBit? πΈπΈππΈπΈ
LockBit is a form of data at rest symmetric encryption algorithm that's used in order to encrypt and secure all files on a windows file system, rendering it infeasible to threat actors that either remotely access the drive OR, physically by simply stealing it.
This article was kind of hard to write, since I looked up to Heath Adams when I was in my earlier days as a hacker.
I spoke good faith about him MANY times, even featured him in some of my past articles for people that wanted to break into Cyber, but he dropped the ball on this one.
He had the potential to become one of the greats when it came to Cyber Security training and industry certs. Now I have to take back what I said and revise a lot of that stuff.
How is LockBit Ransomware? πΈπΈππΈπΈ
Ransomware is essentially what LockBit does, BUT, with malicious intent!
Imagine if a threat actor leveraged your system and encrypted it without your consent, holding the key? THIS is what I mean. LockBit was basically used in a more malicious manner which becomes easily feasible ESPECIALLY more so since it's a "tool" already made that has access and can be used to accurately target files on the system, or the whole system itself.
Still not sure as to what ransomware is? Check out this fully in depth article I wrote here!
You can find a sample of some crypto malware I wrote for demonstrations here (CLICK AT YOUR OWN RISK PLEASE!)
What are SMB's? πΈπΈππΈπΈ
SMB's, a term commonly used for Windows file share systems, uses the FTP protocol to host an accessible file share server that can be accessed by various systems on either a local or remote network to access data.
Think of it like this, imagine you had all your: pictures, folders, documents, etc, and all of that was open and free via a port on your system to be shared with others remotely. This is what a SMB essentially is! SMB is again specifically a term for Windows based file shares, but overall these are classified as βFTP Servicesβ, which stands for βFile Transfer Protocolβ service.
What is Rclone? πΈπΈππΈπΈ
Rclone is what allowed threat actors to escavate files from all systems associated with the Confluence file share, syncing it to remote systems on their end, leaving the encrypted ones behind and the clean ones only with them, as well as the key they have.
You can find out more about rclone here!
If you enjoyed this post give it a thumbs up! Iβll be keeping track of whose reacting from now on as there is a βspecialβ reason for it. Just know the more you support my content the more there is in stored!
- The Hacker Who Laughs πΈπΈππΈπΈ
