Confluence Exploit Leads to LockBit Ransomware
Essential information
- Published
- 24/02/2025 06:16
- Modified
- 24/02/2025 09:09
- Tags
- 2025-02-24 CVE-2023-22527 confluence credential-theft exfiltration lateral movement lockbit ransomware rdp
- Related entities
- 4 vulnerabilities (cve), 15 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware
Description
An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.