Confluence Exploit Leads to LockBit Ransomware

A Confluence server was exploited via CVE-2023-22527 to obtain SYSTEM access and deploy a Metasploit meterpreter and AnyDesk; the actor harvested credentials with Mimikatz, moved laterally via RDP, exfiltrated data to MEGA using Rclone, and rapidly (≈2 hours) deployed LockBit ransomware across the environment using manual execution and PDQ Deploy, leaving ransom notes and altered desktop backgrounds.