LockBit Ransomware Strikes Twice: Exploiting Apache ActiveMQ Vulnerability

Listen to this Post

Featured Image
Cybersecurity experts are raising alarms after a sophisticated ransomware attack exploited a known vulnerability in Apache ActiveMQ servers, highlighting how attackers can return even after being initially blocked. The incident, involving LockBit ransomware, demonstrates the evolving tactics of threat actors who combine old vulnerabilities, stolen credentials, and remote access tools to inflict maximum damage.

Initial Breach and Exploitation

The attack began in February 2024 when threat actors targeted an internet-facing Apache ActiveMQ server vulnerable to CVE-2023-46604. By exploiting a flaw in the Java Spring class configuration, they inserted a malicious XML file containing commands to download a payload from a remote server. This payload, executed via Windows CertUtil, turned out to be a Metasploit stager that granted SYSTEM-level access to the attackers.

With initial access established, the intruders moved laterally across the network using SMB traffic and Metasploit payloads. During this phase, they harvested credentials from LSASS memory, setting the stage for future operations. Despite being evicted after this initial breach, the attackers demonstrated persistence by returning 18 days later to exploit the same unpatched server.

Return and Escalation

Upon re-entry, the attackers repeated their previous actions, including privilege escalation and credential harvesting. This time, they leveraged the previously stolen credentials to access multiple servers via RDP, including backup and file servers. They also installed the AnyDesk remote access tool and configured persistent RDP access, ensuring they could deploy ransomware across the network without interruption.

LockBit Ransomware Deployment

Using RDP, the attackers executed LockBit ransomware on multiple hosts. Files named LB3_pass.exe and LB3.exe were deployed interactively through RDP sessions. Interestingly, the ransom note deviated from standard LockBit protocols, instructing victims to communicate via Session messaging instead of the usual Tor leak site. The ransomware executed with flags likely designed to propagate through SMB, encrypting files across the network. After approximately four hours, the attackers ceased activity, leaving widespread encryption and ransom demands behind.

What Undercode Say:

This attack underscores several critical lessons for organizations:

Unpatched Vulnerabilities Are Invitations – The repeated exploitation of CVE-2023-46604 shows that leaving known flaws unpatched invites not just initial compromise but repeat attacks. Attackers are patient and methodical.

Credential Theft Fuels Lateral Movement – Accessing LSASS memory allowed attackers to harvest credentials, which were later used to log in via RDP. Organizations must monitor for unusual memory access or credential dumping attempts.

RDP Security Is Crucial – The deployment of ransomware through RDP highlights the need for multi-factor authentication, network segmentation, and strict remote access policies. RDP remains a primary vector for ransomware deployment.

Persistence Tactics Are Evolving – Installing AnyDesk and setting persistent RDP access illustrates the increasing sophistication of attackers who blend off-the-shelf tools with custom tactics to maintain network presence.

Monitoring and Response Matter – Quick detection could have mitigated the second round of intrusion. Continuous monitoring, threat hunting, and incident response readiness are essential.

Ransomware Customization Is Growing – Altered ransom notes and messaging channels demonstrate attackers’ adaptability. This signals that LockBit and similar groups are experimenting with new ways to manage communications with victims and evade traditional tracking methods.

SMB Propagation Is Still a Threat – The ransomware used SMB to spread internally. Even if external defenses are strong, internal network segmentation can limit such lateral spread.

Recurrent Attacks Are Real – Organizations must assume that once breached, attackers may attempt to return if systems remain vulnerable. Patch management and post-incident verification are essential to prevent repeat attacks.

Use of Leaked Tools – The attack leveraged a leaked LockBit builder, showing that threat actors can access advanced ransomware toolkits without developing them in-house, lowering the barrier to sophisticated attacks.

Incident Duration Is Limited but Impactful – Four hours of activity were enough to encrypt critical data. Attackers can operate quickly when they have unrestricted access, emphasizing the importance of rapid detection and isolation.

Fact Checker Results:

✅ The vulnerability CVE-2023-46604 is confirmed as exploitable in Apache ActiveMQ.
✅ LockBit ransomware has a history of using RDP and SMB for lateral movement.
❌ The claim about using Session messaging instead of Tor is plausible but not independently verified.

Prediction:

🔮 Ransomware operations will increasingly combine exploitation of known vulnerabilities with persistent remote access tools. Organizations that delay patching or have weak RDP controls are likely to see repeat intrusions. Expect ransomware groups to continue customizing communication channels and leveraging leaked toolkits, making rapid detection, automated patching, and robust network segmentation critical defenses.

If you want, I can also create a visual timeline of this attack, showing the breach, lateral movement, and ransomware deployment for easy understanding.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon