← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Confluence Exploit Leads to LockBit Ransomware
WHITE LockBit AlienVault 2025-02-24 Modified: 2025-03-26
44
IOCs
MEDIUM VOLUME
An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.
cve-2023-22527exfiltrationrdpransomwarecredential theftlockbitlateral movementconfluence
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LockBit
Indicators of Compromise (44)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 03af38505cee81b9d6ecd8c1fd896e0e 2025-02-24
FileHash-MD5 0f7b6bb3a239cf7a668a8625e6332639 2025-02-24
FileHash-MD5 4f2f006e2ecf7172ad368f8289dc96c1 2025-02-24
FileHash-MD5 5ece094e7f2f03efa6f8d51d9a698823 2025-02-24
FileHash-MD5 6e91c474d90546845b1f3f9e7a33411a 2025-02-24
FileHash-MD5 dbd4201cf48f9c38a17d30012392cf92 2025-02-24
FileHash-MD5 ea327ed0a3243847f7cd87661e22e1de 2025-02-24
FileHash-SHA1 1ac66fcc34c0b86def886e4e168030dae096927c 2025-02-24
FileHash-SHA1 450d54d5737164579416ca99af1eb3fa1d4aaff9 2025-02-24
FileHash-SHA1 5263a135f09185aa44f6b73d2f8160f56779706d 2025-02-24
FileHash-SHA1 9352236ad6fe8835979cf11ba5033f8f2fef0f19 2025-02-24
FileHash-SHA256 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88 2025-02-24
FileHash-SHA256 2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4 2025-02-24
FileHash-SHA256 3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9 2025-02-24
FileHash-SHA256 7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d 2025-02-24
FileHash-SHA256 b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63 2025-02-24
FileHash-SHA256 c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835 2025-02-24
FileHash-SHA256 ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175 2025-02-24
FileHash-SHA1 013b35afe07f1159f634c620a4c32581915cd8a5 2025-02-24
FileHash-SHA1 0934e0a9f6eaefc7c55185b3e75a464380493742 2025-02-24
FileHash-SHA1 13f365cb31abfca9f6741f7e8cd1f501b7593265 2025-02-24
FileHash-SHA1 2526852ce7401967e3ed388f585e64836da9b6d6 2025-02-24
FileHash-SHA1 2c40e249c9cb32326a2363648b773595bb8c283d 2025-02-24
FileHash-SHA1 40423647604faef3a28ea958112eb301c2717352 2025-02-24
FileHash-SHA1 740b167d467ad930a72c16e55e6286de683c6e24 2025-02-24
FileHash-SHA1 abda7465ff820713ef20451eff4866d273bd5627 2025-02-24
FileHash-SHA1 f6d8a7041130b8e717ea641030c1c633f591f2ee 2025-02-24
FileHash-SHA1 f87636b45303f10044f655f9f09cba6bbe452c59 2025-02-24
CVE CVE-2017-0199 2025-02-24
CVE CVE-2023-22515 2025-02-24
CVE CVE-2023-22518 2025-02-24
CVE CVE-2023-22527 2025-02-24
FileHash-MD5 3bd63b2962d41d2e29e570238d28ec0e 2025-02-24
FileHash-MD5 438448fdc7521ed034f6dabdf814b6ba 2025-02-24
FileHash-MD5 9d495530a421a7c7e113b7afc3a50504 2025-02-24
FileHash-MD5 d7addb5b6f55eab1686410a17b3c867b 2025-02-24
FileHash-SHA1 02d291e2ff5799a13eacc72ad0758f2c5e69d414 2025-02-24
FileHash-SHA1 9537e1c4e5ddd7fb9b98c532ca89a9db08262ab4 2025-02-24
FileHash-SHA1 a54af16b2702fe0e5c569f6d8f17574a9fdaf197 2025-02-24
FileHash-SHA1 f08e7343a94897adeae78138cc3f9142ed160a03 2025-02-24
FileHash-SHA256 1e2e25a996f72089f12755f931e7fca9b64dd85b03a56a9871fd6bb8f2cf1dbb 2025-02-24
FileHash-SHA256 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155 2025-02-24
FileHash-SHA256 594f2f8ab05f88f765d05eb1cf24e4c697746905a61ed04a6fc2b744dd6febb0 2025-02-24
FileHash-SHA256 7aa8e510b9c3b5d39f84e4c2fa68c81da888e091436fdb7fee276ee7ff87f016 2025-02-24
References (1)
↗ https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/