← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Confluence Exploit Leads to LockBit Ransomware
WHITE LockBit AlienVault 2025-02-24 Modified: 2025-03-26
44
IOCs
MEDIUM VOLUME
An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.
cve-2023-22527exfiltrationrdpransomwarecredential theftlockbitlateral movementconfluence
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LockBit
Indicators of Compromise (11 / 44 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 03af38505cee81b9d6ecd8c1fd896e0e 2025-02-24
FileHash-MD5 0f7b6bb3a239cf7a668a8625e6332639 2025-02-24
FileHash-MD5 4f2f006e2ecf7172ad368f8289dc96c1 2025-02-24
FileHash-MD5 5ece094e7f2f03efa6f8d51d9a698823 2025-02-24
FileHash-MD5 6e91c474d90546845b1f3f9e7a33411a 2025-02-24
FileHash-MD5 dbd4201cf48f9c38a17d30012392cf92 2025-02-24
FileHash-MD5 ea327ed0a3243847f7cd87661e22e1de 2025-02-24
FileHash-MD5 3bd63b2962d41d2e29e570238d28ec0e 2025-02-24
FileHash-MD5 438448fdc7521ed034f6dabdf814b6ba 2025-02-24
FileHash-MD5 9d495530a421a7c7e113b7afc3a50504 2025-02-24
FileHash-MD5 d7addb5b6f55eab1686410a17b3c867b 2025-02-24
References (1)
↗ https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/