A critical vulnerability in Apache ActiveMQ has been actively exploited by threat actors, leading to a full LockBit ransomware deployment across an enterprise network.
Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into an exposed Windows server and ultimately encrypt systems via Remote Desktop Protocol — spanning roughly 19 calendar days from initial access to full encryption.
The attack began in mid-February 2024, when a threat actor sent a specially crafted OpenWire command to a publicly accessible Apache ActiveMQ server.
The exploit caused the server to load a remote Java Spring XML configuration file, which instructed the compromised host to download a Metasploit stager using the Windows CertUtil utility.
Once executed, the stager opened a command-and-control channel to an attacker-controlled server at IP address 166.62.100[.]52.
Within 40 minutes of gaining that initial foothold, the attacker had already escalated to SYSTEM-level privileges and started dumping credentials from LSASS process memory on the beachhead host.
The DFIR Report analysts identified that the attackers were evicted from the environment on the second day of the intrusion, but because the vulnerable ActiveMQ server was never patched, the same exploit pathway remained open.
Eighteen days after the first breach, the threat actors returned using the identical CVE-2023-46604 technique — only changing the names of the files downloaded after exploitation.
The re-entry was made far easier by a privileged service account whose credentials had been quietly stolen from LSASS memory during the first intrusion, giving the attackers a direct, ready-made route back into the network.
.webp)
On their return, the attackers confirmed their domain administrator access, then ran a disguised network scanning tool — Advanced IP Scanner packaged to resemble SoftPerfect Network Scanner — to enumerate live hosts across the environment.
They then moved LockBit ransomware executables to servers and workstations via RDP sessions, using two files: LB3.exe and LB3_pass.exe.
On file and backup servers, the ransomware was executed with specific path and password arguments, while on other hosts it was run through a simple double-click in the Windows Explorer interface.
Ransom notes left behind pointed victims to the Session private messaging app, not to any official LockBit infrastructure, indicating this was an independent actor who built their ransomware using the leaked LockBit Black builder.
The total Time to Ransomware stood at 419 hours — just over 19 days from first exploitation to full encryption. Had defenders not detected the initial intrusion phase, the attackers would have had fewer than 90 minutes from re-entry before ransomware began executing across the network.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2023-46604 | 10.0 (Critical) | Apache ActiveMQ Remote Code Execution via malicious OpenWire ClassInfo command |
Credential Theft Driving Lateral Movement
After gaining SYSTEM-level access on the beachhead, the Metasploit process accessed LSASS process memory on four separate hosts during the first intrusion round.
Sysmon logs captured the GrantedAccess value of 0x1010 — which grants read access to virtual memory — alongside a CallTrace UNKNOWN entry, a reliable indicator of injected code performing the dump without leaving a standard process trail.
One of the targeted hosts was running a production application tied to a privileged service account, and that single account became the bridge the threat actors used to cross back into the network 18 days later.
.webp)
When the attackers returned on day 18, they used that stolen service account to remotely create services and run Metasploit payloads across domain controllers and multiple servers.
The PowerShell commands carrying those payloads were obfuscated through string concatenation, Base64 encoding, and gzip compression stacked on top of each other.
After decoding, the shellcode allocated memory regions using VirtualAlloc, changed their protection attribute to executable using VirtualProtect, then spawned a thread to execute the injected payload in-memory — a method commonly used to avoid triggering signature-based endpoint detection.
On hosts where Microsoft Defender was active, this activity was caught and blocked; unprotected systems were fully compromised.
![AnyDesk Silent Installation and C2 Connection to 166.62.100[.]52 (Source - The DFIR Report)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjortM5oqu22EzqUNBIiL0wmgbB0rREfQRsjhicJftC5CKAEkM96wVKmNNgAEzpr8KP6rLxEiDO_Tk0YuovUDi9EZ9GnOi6UJkkEmzojLYpfU1nflhLJSXC75HALkl44ZbfJxWBmBQhAyjzkoi4P02WBwKZb8xD6dxHaxJHnrZlCeNypt8n94ldVTkLc68/s16000/AnyDesk%20Silent%20Installation%20and%20C2%20Connection%20to%20166.62.100%5B.%5D52%20(Source%20-%20The%20DFIR%20Report).webp)
To cover their tracks and maintain a foothold, the attackers silently installed AnyDesk on the beachhead host, setting it up as an auto-start service.
A batch file named rdp.bat opened firewall port 3389 to allow RDP connections and was then removed roughly six minutes after execution.
Windows System, Application, and Security event logs on the beachhead were all wiped, and the LOLBIN SystemSettingsAdminFlows.exe was abused on the Exchange server to disable Windows Defender.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 166.62.100[.]52 | IP Address | C2 server and AnyDesk login source |
| C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE | SHA-256 | LB3_pass.exe — LockBit ransomware executable |
| 8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6 | SHA-256 | LB3.exe — LockBit ransomware executable |
| 87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55 | SHA-256 | netscan.exe — Network scanner tool |
| 722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B | SHA-256 | advanced_ip_scanner.exe — IP scanner disguise |
| D9C888BDE81F19F3DC4F050D184FFA6470F1A93A2B3B10B3CC2D246574F56841 | SHA-256 | rdp.bat — RDP configuration batch file |
| 1148037084 | AnyDesk Client ID | Attacker’s AnyDesk client identifier |
Organizations should immediately patch Apache ActiveMQ to address CVE-2023-46604, enforce LSASS protection through Credential Guard, monitor for event log clearing activity, restrict unauthorized remote access tool installations, and reset all credentials after any suspected intrusion to prevent re-entry through stolen accounts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
