A critical vulnerability within Apache ActiveMQ (CVE-2023-46604) has been actively exploited by threat actors, leading to a full ransomware deployment by the LockBit group across an enterprise network. The attackers utilized this remote code execution flaw to gain initial access to a Windows server and subsequently encrypt systems via Remote Desktop Protocol (RDP), with the entire operation spanning approximately 19 days from initial intrusion to full system compromise.
The attack chain commenced in mid-February 2024. Threat actors sent a specifically crafted OpenWire command to a publicly accessible Apache ActiveMQ server. This malicious command triggered the server to load a remote Java Spring XML configuration file. This configuration file then instructed the compromised host to download a Metasploit stager using the Windows CertUtil utility. Once executed, the stager established a command-and-control (C2) channel to an attacker-controlled server located at IP address 166.62.100[.]52. Within a mere 40 minutes of this initial foothold, attackers escalated their privileges to the SYSTEM level and began exfiltrating credentials from the LSASS process memory on the compromised server.
Credential Theft and Lateral Movement Enable LockBit Ransomware Deployment
According to analysis from The DFIR Report, the initial intrusion was detected and the attackers were evicted from the network on the second day. However, the underlying vulnerability in the ActiveMQ server remained unpatched, leaving the same exploitation pathway open. Eighteen days after the first breach, the threat actors returned, employing the identical CVE-2023-46604 technique. The only notable change in their methodology was the alteration of file names used after the initial exploitation.
The attackers’ return was significantly facilitated by a privileged service account whose credentials had been covertly extracted from LSASS memory during the first intrusion. This stolen account provided the threat actors with a direct and readily available access route back into the network, bypassing initial security measures that might have otherwise detected a new intrusion attempt.
Upon re-entry, the threat actors confirmed their elevated domain administrator access. They then deployed a disguised network scanning tool, Advanced IP Scanner, which was packaged to appear as SoftPerfect Network Scanner. This tool was used to enumerate live hosts across the entire environment. Following network reconnaissance, the attackers began distributing LockBit ransomware executables to various servers and workstations through RDP sessions. The ransomware was deployed using two files, identified as LB3.exe and LB3_pass.exe.
The ransomware was executed with specific path and password arguments on file and backup servers. On other compromised hosts, it was initiated via a simple double-click within the Windows Explorer interface. The ransom notes left behind directed victims to the Session private messaging application rather than any official LockBit infrastructure. This suggests a degree of independence from the core LockBit operations, possibly indicating an actor utilizing leaked LockBit Black ransomware builder code.
The total “Time to Ransomware,” the period from initial exploitation to the execution of ransomware, was approximately 419 hours, equating to just over 19 days. Had the initial intrusion phase not been detected by defenders, the attackers would have had less than 90 minutes from their re-entry to initiate ransomware deployment across the network.
During the first intrusion, after achieving SYSTEM-level access, the Metasploit process accessed LSASS process memory on four distinct hosts. Sysmon logs captured a specific access value (0x1010), which grants read access to virtual memory, alongside an “UNKNOWN” CallTrace entry. This is a strong indicator of injected code performing a credential dump without leaving the trace of standard process activity. One of the targeted hosts was running a critical production application associated with a privileged service account. This single compromised account served as the crucial link for the threat actors to regain network access 18 days later.
When the threat actors returned on day 18, they leveraged the stolen service account to remotely create services and execute Metasploit payloads across domain controllers and multiple servers. The PowerShell commands used to deliver these payloads were heavily obfuscated using a combination of string concatenation, Base64 encoding, and gzip compression. Upon decoding, the shellcode would allocate memory regions using VirtualAlloc, alter their protection attributes to executable using VirtualProtect, and then spawn a thread to execute the injected payload in memory. This technique is frequently employed to evade signature-based endpoint detection systems.
Where Microsoft Defender was actively running, these malicious activities were detected and blocked. However, systems that were not adequately protected experienced full compromise. To conceal their presence and maintain persistence, the attackers silently installed AnyDesk on the initial beachhead host, configuring it as an auto-start service. A batch file, named rdp.bat, was used to open firewall port 3389, enabling RDP connections, and was subsequently deleted approximately six minutes after its execution.
Moreover, Windows System, Application, and Security event logs on the primary compromised host were systematically wiped. The attackers also abused the LOLBIN utility SystemSettingsAdminFlows.exe on an Exchange server to disable Windows Defender protections.
Indicators of Compromise (IOCs)
Organizations are strongly advised to immediately patch Apache ActiveMQ to mitigate CVE-2023-46604. Implementing LSASS protection through Credential Guard, actively monitoring for event log clearing activities, restricting the installation of unauthorized remote access tools, and resetting all credentials following any suspected intrusion are crucial steps to prevent re-entry through compromised accounts.