TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Apache ActiveMQ Exploit Leads to LockBit Ransomware

editor · 2026-02-23 · Read original ↗

ATT&CK techniques detected

43 predictions
T1190Exploit Public-Facing Application
100%
"90 minutes before ransomware execution. if you would like to get an email when we publish a new report, please subscribe here. the dfir report offerings a threat brief version of this report was published to customers in may of 2024. check out our products here and our services h…"
T1021.001Remote Desktop Protocol
100%
"actor also used rdp for lateral movement. they began by logging into a backup server. the credentials used belonged to a privileged service account that was active on one of the servers from which credentials were dumped on the first day of access. rdp sessions were then observed…"
T1486Data Encrypted for Impact
99%
"anydesk was installed. after that, several more executables were dropped via the metasploit process on the beachhead. these included a renamed advanced ip scanner binary and two lockbit ransomware files. advanced ip scanner was then run, and the threat actor began another round o…"
T1021.001Remote Desktop Protocol
98%
"following command : cmd. exe / c echo kesknq > \ \. \ pipe \ kesknq this pattern of activity is commonly associated with running the getsystem command in a meterpreter shell to elevate privileges. we can see in the logs that this command provided access to system - level privileg…"
T1486Data Encrypted for Impact
98%
"to the application. this activity was identified using the ad _ svc. trace logs from the beachhead host. these logs revealed the login location to be the same ip address used to launch the exploit and host the metasploit command and control, linking activity across the multiple e…"
T1021.001Remote Desktop Protocol
96%
"##d4 - 7a5602b780d1 : potential powershell command line obfuscation 954f0af7 - 62dd - 418f - b3df - a84bc2c7a774 : new remote desktop connection initiated via mstsc. exe ed74fe75 - 7594 - 4b4b - ae38 - e38e3fd2eb23 : outbound rdp connections over non - standard tools bef37fa2 - f…"
T1486Data Encrypted for Impact
96%
"’ s ability to spread via a psexec - style smb spreader configurable within the builder. upon execution, ransom notes were written to directories across affected hosts as the systems were encrypted. the ransom note did not follow the normal lockbit format directing victims to a t…"
T1055.001Dynamic-link Library Injection
95%
"- 9ed363038101 : elevated system shell spawned 2617e7ed - adb7 - 40ba - b0f3 - 8f9945fe6c09 : suspicious system user process creation d522eca2 - 2973 - 4391 - a3e0 - ef0374321dae : abused debug privilege by arbitrary parent processes d75d6b6b - adb9 - 48f7 - 824b - ac2e786efe1f :…"
T1055.001Dynamic-link Library Injection
95%
"##e dff1e1cc - d3fd - 47c8 - bfc2 - aeb878a754c0 : shell process spawned by java. exe yara 7bc0f998 - 7014 - 4883 - 8a56 - d5ee00c15aed : windows _ trojan _ metasploit _ 7bc0f998 91bc5d7d - 31e3 - 4c02 - 82b3 - a685194981f3 : windows _ trojan _ metasploit _ 91bc5d7d mitre att & c…"
T1003.001LSASS Memory
92%
", as well as clearing the security event logs, as indicated by event id 1102. event id 104 : event id 1102 : on the exchange email server, the threat actor used a legitimate windows executable, systemsettingsadminflows. exe, which allows users to customize or configure the system…"
T1543.003Windows Service
92%
"file with the typical mz header and the “ this program cannot be run in dos mode ” string : after download, the executable file was started. sysmon event id 1 ( process execution ) showed execution of the file : ufsylszksur. exe was a metasploit executable configured to communica…"
T1080Taint Shared Content
88%
"anydesk was installed. after that, several more executables were dropped via the metasploit process on the beachhead. these included a renamed advanced ip scanner binary and two lockbit ransomware files. advanced ip scanner was then run, and the threat actor began another round o…"
T1055.001Dynamic-link Library Injection
86%
"##6a - 4fc802ebf6c0 : suspicious group and account reconnaissance activity using net. exe 15619216 - e993 - 4721 - b590 - 4c520615a67d : potential meterpreter / cobaltstrike activity 9bd04a79 - dabe - 4f1f - a5ff - 92430265c96b : privilege escalation via named pipe impersonation …"
T1055.001Dynamic-link Library Injection
84%
"the allocated memory. - changes the memory protection to executable using virtualprotect, where the 0x10 parameter specifies the new protection attributes for the memory region and corresponds to page _ execute. - creates a new thread to execute the code in the allocated memory u…"
T1486Data Encrypted for Impact
83%
"##3. exe. these files were lockbit ransomware executables. based on the ransom note dropped after execution, we assess that the ransomware was created using the leaked lockbit black builder. this builder generates the encryption and decryption keys and produces the required pe fi…"
T1080Taint Shared Content
83%
"to the application. this activity was identified using the ad _ svc. trace logs from the beachhead host. these logs revealed the login location to be the same ip address used to launch the exploit and host the metasploit command and control, linking activity across the multiple e…"
T1080Taint Shared Content
81%
"##3. exe. these files were lockbit ransomware executables. based on the ransom note dropped after execution, we assess that the ransomware was created using the leaked lockbit black builder. this builder generates the encryption and decryption keys and produces the required pe fi…"
T1219Remote Access Tools
76%
"anydesk was installed. after that, several more executables were dropped via the metasploit process on the beachhead. these included a renamed advanced ip scanner binary and two lockbit ransomware files. advanced ip scanner was then run, and the threat actor began another round o…"
T1204.002Malicious File
76%
"began more traditional discovery activity by running various windows utilities. from network traffic recorded during the second round of exploitation, we saw the activemq server process downloading the malicious xml file containing the commands to be run in the command - line int…"
T1190Exploit Public-Facing Application
75%
"##2b3b10b3cc2d246574f56841 detections network 2034225 : et malware [ cisa aa21 - 291a ] possible blackmatter ransomware lateral movement 2851484 : etpro info smb / dcerpc bind _ ack with endian flipped 2049009 : et info apache activemq instance - vulnerable to cve - 2023 - 46604 …"
T1059.001PowerShell
74%
", the threat actor launched the scanner to enumerate the local network. the following were the top ports were scanned using the tool : lateral movement remote services the threat actor used metasploit to execute remote services across several hosts in the environment, both on the…"
T1080Taint Shared Content
74%
"’ s ability to spread via a psexec - style smb spreader configurable within the builder. upon execution, ransom notes were written to directories across affected hosts as the systems were encrypted. the ransom note did not follow the normal lockbit format directing victims to a t…"
T1486Data Encrypted for Impact
72%
"apache activemq exploit leads to lockbit ransomware apache activemq exploit leads to lockbit ransomware key takeaways - a threat actor exploited cve - 2023 - 46604 on an internet - facing apache activemq server. despite being evicted after the initial intrusion, they successfully…"
T1021.001Remote Desktop Protocol
71%
"actor returned. they used the same access path, exploiting the same unpatched apache activemq server, and regained access to the environment. after this, they repeated the same getsystem and lsass access as previously observed on the beachhead during the first round of the intrus…"
T1190Exploit Public-Facing Application
71%
"files that were downloaded after successful exploitation. the exploit activity triggered the following network intrusion detection rules from emerging threats : et info apache activemq instance - vulnerable to cve - 2023 - 46604 - local instance et exploit apache activemq remote …"
T1210Exploitation of Remote Services
70%
"apple, youtube, audible, & amazon. case summary this intrusion began in mid - february 2024 after a threat actor exploited a vulnerability ( cve - 2023 - 46604 ) on an exposed apache activemq server. the threat actor was able to perform remote code execution ( rce ) by using a ja…"
T1059.001PowerShell
56%
"apache activemq exploit leads to lockbit ransomware apache activemq exploit leads to lockbit ransomware key takeaways - a threat actor exploited cve - 2023 - 46604 on an internet - facing apache activemq server. despite being evicted after the initial intrusion, they successfully…"
T1204.002Malicious File
55%
"0. x detected 2025703 : et policy smb2 nt create andx request for an executable file in a temp directory 2021076 : et hunting suspicious dotted quad host mz response 2018959 : et policy pe exe or dll windows file download http 2851878 : etpro malware cobalt strike stager payload …"
T1071.001Web Protocols
53%
"##cf16ff8a5e949a118be27f15962fae lb3. exe sha256 : 8ceee89550c521ba43f59d24ba53a22a3b69ead0fce118508d0a87a383d6a7b6 netscan. exe sha256 = 87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55 advanced _ ip _ scanner. exe sha256 = 722fff8f38197d1449df500ae31a95bb34a6dda…"
T1078Valid Accounts
53%
", as well as clearing the security event logs, as indicated by event id 1102. event id 104 : event id 1102 : on the exchange email server, the threat actor used a legitimate windows executable, systemsettingsadminflows. exe, which allows users to customize or configure the system…"
T1547.001Registry Run Keys / Startup Folder
53%
"7d3d - 4a49 - 9817 - b8004a7bf105 : uncommon new firewall rule added in windows firewall exception list 2aa0a6b4 - a865 - 495b - ab51 - c28249537b75 : startup folder file write 530a6faa - ff3d - 4022 - b315 - 50828e77eef5 : anydesk remote access software service installation 114e…"
T1021.001Remote Desktop Protocol
52%
"the allocated memory. - changes the memory protection to executable using virtualprotect, where the 0x10 parameter specifies the new protection attributes for the memory region and corresponds to page _ execute. - creates a new thread to execute the code in the allocated memory u…"
T1190Exploit Public-Facing Application
52%
"##cf16ff8a5e949a118be27f15962fae lb3. exe sha256 : 8ceee89550c521ba43f59d24ba53a22a3b69ead0fce118508d0a87a383d6a7b6 netscan. exe sha256 = 87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55 advanced _ ip _ scanner. exe sha256 = 722fff8f38197d1449df500ae31a95bb34a6dda…"
T1547.008LSASS Driver
51%
", as well as clearing the security event logs, as indicated by event id 1102. event id 104 : event id 1102 : on the exchange email server, the threat actor used a legitimate windows executable, systemsettingsadminflows. exe, which allows users to customize or configure the system…"
T1190Exploit Public-Facing Application
51%
"apache activemq exploit leads to lockbit ransomware apache activemq exploit leads to lockbit ransomware key takeaways - a threat actor exploited cve - 2023 - 46604 on an internet - facing apache activemq server. despite being evicted after the initial intrusion, they successfully…"
T1003OS Credential Dumping
43%
"apache activemq exploit leads to lockbit ransomware apache activemq exploit leads to lockbit ransomware key takeaways - a threat actor exploited cve - 2023 - 46604 on an internet - facing apache activemq server. despite being evicted after the initial intrusion, they successfully…"
T1021.002SMB/Windows Admin Shares
42%
"apple, youtube, audible, & amazon. case summary this intrusion began in mid - february 2024 after a threat actor exploited a vulnerability ( cve - 2023 - 46604 ) on an exposed apache activemq server. the threat actor was able to perform remote code execution ( rce ) by using a ja…"
T1550.002Pass the Hash
39%
"actor returned. they used the same access path, exploiting the same unpatched apache activemq server, and regained access to the environment. after this, they repeated the same getsystem and lsass access as previously observed on the beachhead during the first round of the intrus…"
T1021.006Windows Remote Management
39%
"actor returned. they used the same access path, exploiting the same unpatched apache activemq server, and regained access to the environment. after this, they repeated the same getsystem and lsass access as previously observed on the beachhead during the first round of the intrus…"
T1219Remote Access Tools
39%
"##d4 - 7a5602b780d1 : potential powershell command line obfuscation 954f0af7 - 62dd - 418f - b3df - a84bc2c7a774 : new remote desktop connection initiated via mstsc. exe ed74fe75 - 7594 - 4b4b - ae38 - e38e3fd2eb23 : outbound rdp connections over non - standard tools bef37fa2 - f…"
T1046Network Service Discovery
34%
"movement activity. discovery round one after the initial exploitation of the beachhead host, no immediate process activity related to discovery was observed. however, around an hour after the first exploit, smb traffic from the beachhead to remote hosts across the network was obs…"
T1204.002Malicious File
32%
"files that were downloaded after successful exploitation. the exploit activity triggered the following network intrusion detection rules from emerging threats : et info apache activemq instance - vulnerable to cve - 2023 - 46604 - local instance et exploit apache activemq remote …"
T1569.002Service Execution
31%
"file with the typical mz header and the “ this program cannot be run in dos mode ” string : after download, the executable file was started. sysmon event id 1 ( process execution ) showed execution of the file : ufsylszksur. exe was a metasploit executable configured to communica…"

Summary

Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.  This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […]

The post Apache ActiveMQ Exploit Leads to LockBit Ransomware appeared first on The DFIR Report.