VERY IMPORTANT

A threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server, gaining initial access and later returning after being evicted. The attacker used Metasploit for post-exploitation activities, including privilege escalation, credential access, and lateral movement. Upon regaining access, they swiftly deployed LockBit ransomware via RDP using previously extracted credentials. The ransomware binary matched LockBit signatures but was likely crafted using the leaked LockBit builder, as evidenced by modified ransom notes and communication methods. The intrusion spanned 19 days from initial access to ransomware deployment, with less than 90 minutes between re-engagement and encryption during the second phase.