This article analyzes the tactics, techniques, and procedures (TTPs) of the LockBit and Black Basta ransomware groups, specifically focusing on their exploitation of Confluence software. Their similarities and differences are explored, along with methods for detection and incident response. Tools used for attacks, the attack flow, and risks involved are highlighted, along with suggestions for monitoring and protection strategies. Affected: Confluence, Windows servers, RDP environments
Keypoints :
- LockBit and Black Basta have overlapping attack patterns focused on SMB, Rclone, and RDP.
- Black Basta is noted for its patient approach, while LockBit tends to execute faster ransom demands.
- Both groups exploit critical vulnerabilities in Atlassian products, particularly Confluence.
- Effective detection should include monitoring for PowerShell misuse and anomalous account activity.
- The analysis showcases various TTPs using real-world examples from a chat log leak.
- An incident response framework is recommended alongside the detection of lateral movement.
MITRE Techniques :
- T1190 – Exploit Confluence RCE (CVE-2023-22527): Exploitation of a critical remote code execution vulnerability in Confluence against a Windows server.
- T1059 – Download & Execute AnyDesk via Metasploit Stager: Remote access installed using a stager file hosted on an attacker’s server.
- T1567 – Rclone File Exfiltration: Exfiltration of data achieved utilizing Rclone to send data to remote cloud storage (MEGA.io).
- T1562 – Disable or Modify Security Tools: Attackers often disable security solutions, allowing seamless execution of their payloads.
Indicator of Compromise :
- [URL] http://attacker-server/AnyDesk.exe
- [URL] http://attacker-server/stager.hta
- [IP Address] 79.141.1.193
- [IP Address] 79.141.8.42
- [SHA-256] 2ece57a04cf8f636ba7ac6755ad274c86e35871e66622ffd1f84a322140b2f90