Confluence Exploit Leads to LockBit Ransomware
Feb. 24, 2025, 9:09 a.m.
Description
An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.
Tags
Date
- Created: Feb. 24, 2025, 6:16 a.m.
- Published: Feb. 24, 2025, 6:16 a.m.
- Modified: Feb. 24, 2025, 9:09 a.m.
Indicators
- 7aa8e510b9c3b5d39f84e4c2fa68c81da888e091436fdb7fee276ee7ff87f016
- 594f2f8ab05f88f765d05eb1cf24e4c697746905a61ed04a6fc2b744dd6febb0
- 1e2e25a996f72089f12755f931e7fca9b64dd85b03a56a9871fd6bb8f2cf1dbb
- ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175
- c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835
- b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63
- 7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d
- 3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9
- 2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4
- 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88
- 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155
- 92.51.2.27
- 92.51.2.22
- 45.227.252.227
- 194.165.16.60
Attack Patterns
- LockBit
- LockBit
- T1567.002
- T1003.001
- T1021.001
- T1543.003
- T1070.001
- T1552.001
- T1078.003
- T1218.005
- T1018
- T1059.003
- T1059.001
- T1486
- T1057
- T1105
- T1046
- T1219
- T1033
- T1190
- T1072