ELPACO-Team Ransomware Attack Detection: Hackers Exploit Atlassian Confluence Vulnerability (CVE-2023-22527) to Gain RDP Access and Enable RCE

In today’s fast-evolving ransomware landscape, threat actors are accelerating their tactics to gain access and deploy payloads with alarming speed. Increasingly, attackers are leveraging known vulnerabilities as entry points, as seen in a recent attack where adversaries exploited CVE-2023-22527, a maximum-severity template injection flaw in Atlassian Confluence, to compromise an internet-exposed system. Just 62 hours later, adversaries executed the next stage: deploying ELPACO-team ransomware, a Mimic variant, which targeted critical backup and file servers through RDP and SMB shares.

Detect CVE-2023-22527 Exploitation to Drop ELPACO-Team Ransomware

According to Sophos, the average ransomware recovery cost surged to $2.73 million in 2024—a staggering 500% increase from the previous year. This sharp rise highlights the growing financial impact of cyberattacks and the urgent need for more proactive defense strategies. To stay ahead of threats like the recent ELPACO-team ransomware incident, cyber defenders need reliable, timely CTI and actionable detection content to always stay one step ahead of attackers.

Register for SOC Prime Platform and access a dedicated set of Sigma rules addressing the recent campaign exploiting the Atlassian Confluence vulnerability (CVE-2023-22527) for ELPACO-team ransomware distribution. Curated detection content is backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below and immediately drill down to a relevant content stack.

Explore Detections

Additionally, security professionals can locate detection content specific to CVE-2023-22527 exploitation by browsing the Threat Detection Marketplace using the corresponding CVE ID tag. Defenders can also explore the entire collection of detection rules for vulnerability exploitation by searching with the broader “CVE” tag or apply the “Ransomware” tag to access a set of detection rules covering ransomware attacks worldwide.

All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, every rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

On top of it, security experts might streamline threat investigation using Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering – now completely free and available without token limits on AI features. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.

CVE-2023-22527 Analysis: Attacks by ELPACO-Team Ransomware

Defenders have recently identified a sophisticated attack campaign in which threat actors weaponized a known vulnerability in an unpatched internet-exposed Atlassian Confluence server to launch a ransomware operation. 

The breach, which took place in early summer of 2024, involved the exploitation of CVE-2023-22527, a template injection vulnerability with a CVSS score reaching 10.0. The flaw affects older versions of the Confluence Data Center and Server (from 8.0.x through 8.4.x, as well as 8.5.0 to 8.5.3), facilitating RCE and unauthorized access. Notably, the attackers waited roughly 62 hours after the initial compromise before deploying ransomware, indicating a deliberate and stealthy approach.

The infection chain started with the exploitation of CVE-2023-22527 on a Confluence server. Network traffic analysis showed the technique used, with attackers initially issuing a “whoami” command to test access before delivering more harmful payloads. According to the DFIR Report research, once inside, adversaries repeatedly executed a set of actions, such as deploying Metasploit payloads, establishing C2 connections, and installing AnyDesk to maintain persistent access. They then escalated privileges, extracted credentials using tools like Mimikatz, enabled RDP access, and moved laterally across the network. At the final stages of the attack chain, attackers deployed ELPACO-team ransomware, a known variant of Mimic ransomware. Although the attackers deleted certain event logs, there was no evidence of significant data exfiltration during the attack.

A key detail of the campaign was the reuse of a single IP address (45.227.254.124) for both scanning for vulnerabilities and later serving as a self-hosted AnyDesk server, pointing to a deliberately prepared malicious infrastructure.

Throughout the attack, a malicious executable was placed in an unusual directory within the NetworkService profile’s temporary folder. It had minimal function imports (only VirtualAlloc and ExitProcess) and employed hashing to obscure and resolve Windows API functions during runtime, a technique often seen in Metasploit payloads. 

Notably, attackers demonstrated advanced persistence strategies by deploying multiple backdoors to maintain ongoing access. Immediately after compromising the system, they installed AnyDesk remote access software on the Confluence server, saving the executable in the installation directory and setting it up for unattended access with the password “P@ssword1,” allowing reentry without user action. 

To strengthen their foothold, adversaries created a local admin account named “noname” with the password “Slepoy_123” via an automated batch script (u1.bat). The script leveraged WMIC to identify users, add the account to the administrators group, and set the password to never expire. The account was created three times during the attack, indicating a methodical effort to ensure persistent access even if one backdoor was removed. Additionally, hackers enabled RDP by altering registry settings and adjusting firewall rules. This allowed them to bypass standard authentication methods and maintain multiple access routes, even if the original vulnerability was eventually patched.

Notably, the latest supported versions of Confluence Data Center and Server are not impacted by this vulnerability, as it was addressed through routine version updates. Nonetheless, the vendor strongly advises all customers to promptly upgrade to the most recent release to safeguard their instances against other non-critical issues highlighted in the January Security Bulletin.

The increased sophistication of adversary methods used in this campaign, ranging from exploitation of an unpatched Confluence server to deploying ransomware after stealthy lateral movement backed by the use of advanced defense evasion techniques, requires ultra-responsiveness from defenders. Potential CVE-2023-22527 mitigation measures involve timely patching, continuously monitoring for unusual system activity, and hardening remote access tools like AnyDesk to proactively defend against similar high-impact attacks. SOC Prime Platform curates a complete product suite backed by AI, automation, and actionable threat intelligence to empower security teams to outscale high-profile attacks and the most intricate threats when every second counts.