A cyber intrusion targeting a Windows Confluence server exploited a critical vulnerability (CVE-2023-22527), leading to the rapid deployment of LockBit ransomware. The attacker utilized various tools and techniques for lateral movement and data exfiltration, completing the ransomware attack in just over two hours. Affected: Confluence, Windows Server, LockBit Ransomware victims
Keypoints :
- Intrusion initiated by exploiting a critical Confluence vulnerability (CVE-2023-22527).
- Deployment of LockBit ransomware occurred quickly, within approximately two hours.
- Tools used included Mimikatz, Metasploit, and AnyDesk.
- Remote Desktop Protocol (RDP) was leveraged for lateral movement.
- Data was exfiltrated using Rclone to MEGA.io cloud storage.
- The attack began with system discovery commands.
- AnyDesk was installed for persistent access.
- Ransomware was distributed across the network using PDQ Deploy.
- Secure tokens and credentials were obtained via PowerShell scripts.
MITRE Techniques :
- Exploit Public-Facing Application (T1190): Utilized CVE-2023-22527 to gain access.
- Remote Desktop Protocol (T1021.001): Used for lateral movement across systems.
- Data Encrypted for Impact (T1486): Executed LockBit ransomware.
- Ingress Tool Transfer (T1105): Tools like AnyDesk and Metasploit were downloaded.
- Clear Windows Event Logs (T1070.001): Event logs were cleared post-exfiltration.
- Software Deployment Tools (T1072): Used PDQ Deploy to automate ransomware distribution.
- Remote System Discovery (T1018): Explored remote hosts to identify targets.
- Credential In Files (T1552.001): Obtained credentials from exposed files and scripts.
Indicator of Compromise :
- [IP Address] 92[.]51.2.22
- [IP Address] 92[.]51.2.27
- [Hash] 438448FDC7521ED034F6DABDF814B6BA
- [Hash] F08E7343A94897ADEAE78138CC3F9142ED160A03
- [Filename] asd.bat
Full Story: https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/