RCE to Sliver IR Tales from the Field
Rapid7 Incident Response was engaged to investigate unauthorized access to two publicly-facing Confluence servers exploited via CVE-2023-22527. Cryptomining software and a Sliver C2 payload were identified. Sliver was used to action further objectives like Kerbrute enumeration and scanning. Rapid7 performed analysis to extract IOCs and implemented containment.