← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Confluence Exploit Leads to LockBit Ransomware
WHITE LockBit AlienVault 2025-02-24 Modified: 2025-03-26
44
IOCs
MEDIUM VOLUME
An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.
cve-2023-22527exfiltrationrdpransomwarecredential theftlockbitlateral movementconfluence
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LockBit
Indicators of Compromise (18 / 44 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 1ac66fcc34c0b86def886e4e168030dae096927c 2025-02-24
FileHash-SHA1 450d54d5737164579416ca99af1eb3fa1d4aaff9 2025-02-24
FileHash-SHA1 5263a135f09185aa44f6b73d2f8160f56779706d 2025-02-24
FileHash-SHA1 9352236ad6fe8835979cf11ba5033f8f2fef0f19 2025-02-24
FileHash-SHA1 013b35afe07f1159f634c620a4c32581915cd8a5 2025-02-24
FileHash-SHA1 0934e0a9f6eaefc7c55185b3e75a464380493742 2025-02-24
FileHash-SHA1 13f365cb31abfca9f6741f7e8cd1f501b7593265 2025-02-24
FileHash-SHA1 2526852ce7401967e3ed388f585e64836da9b6d6 2025-02-24
FileHash-SHA1 2c40e249c9cb32326a2363648b773595bb8c283d 2025-02-24
FileHash-SHA1 40423647604faef3a28ea958112eb301c2717352 2025-02-24
FileHash-SHA1 740b167d467ad930a72c16e55e6286de683c6e24 2025-02-24
FileHash-SHA1 abda7465ff820713ef20451eff4866d273bd5627 2025-02-24
FileHash-SHA1 f6d8a7041130b8e717ea641030c1c633f591f2ee 2025-02-24
FileHash-SHA1 f87636b45303f10044f655f9f09cba6bbe452c59 2025-02-24
FileHash-SHA1 02d291e2ff5799a13eacc72ad0758f2c5e69d414 2025-02-24
FileHash-SHA1 9537e1c4e5ddd7fb9b98c532ca89a9db08262ab4 2025-02-24
FileHash-SHA1 a54af16b2702fe0e5c569f6d8f17574a9fdaf197 2025-02-24
FileHash-SHA1 f08e7343a94897adeae78138cc3f9142ed160a03 2025-02-24
References (1)
↗ https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/