Confluence Exploit Leads to LockBit Ransomware – The DFIR Report

A Windows Confluence server was compromised through the exploitation of CVE-2023-22527, leading to the deployment of LockBit ransomware. The threat actor used various tools, including Mimikatz, Metasploit, and AnyDesk, for lateral movement and data exfiltration. The intrusion had a rapid Time to Ransom (TTR) of around two hours.