An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack. Author: AlienVault
Related Tags:
T1218.005
exfiltration
cve-2023-22527
T1003.001
lateral movement
T1567.002
T1070.001
rdp
T1543.003
Associated Indicators:
3F97E112F0C5DDF0255EF461746A223208DC0846BDE2A6DCA9C825D9C706A4E9
CED4EE8A9814C243F0C157CDA900DEF172B95BB4BC8535E480FE432AB84B9175
B4AD5DF385EE964FE9A800F2CDAA03626C8E8811DDB171F8E821876373335E63
2389B3978887EC1094B26B35E21E9C77826D91F7FA25B2A1CB5AD836BA2D7EC4
594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0
1E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBB
C1173628F18F7430D792BBBEFC6878BCED4539C8080D518555D08683A3F1A835
7AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016
7673A949181E33FF8ED77D992A2826C25B8DA333F9E03213AE3A72BB4E9A705D