From Initial Access to Impact: What This Month’s Attacks Reveal
Your board wants to know if you could withstand a targeted attack. Your SOC is managing an alert backlog. Your last red team report is already three months old.
This is the reality for most enterprise security leaders. Accountable for resilience every hour of the day, but validating it at fixed points in time.
We are launching the WRAITH Monthly Threat Report to address exactly that. Each month we examine real intrusions, identify the patterns that connect them, and draw out what they mean for how mature organisations test and defend against real-world attacks.
This month, three cases stood out. The patterns across them are worth exploring.
This Month’s Real-World Cases
Case 1: Apache ActiveMQ Exploit Leads to LockBit Ransomware
- An exposed Apache ActiveMQ server was exploited using a known vulnerability, CVE-2023-46604, giving the attacker remote code execution
- The organisation identified the intrusion and evicted the attacker
- The server was not patched
- Eighteen days later the attacker returned through the same entry point, using credentials harvested during the first intrusion
- Domain administrator access was regained within minutes
- LockBit ransomware was deployed across the environment via RDP
- Total time from initial access to ransomware deployment: 419 hours. Once the attacker returned on day eighteen, the organisation had less than 90 minutes before encryption began
Implication: Eviction is not the same as remediation. When an attacker leaves, what they found does not leave with them. Credentials, mapped environments and identified weaknesses persist long after the incident is closed. For security teams focused on closing the immediate incident, this case is a reminder that the clock does not reset when the attacker disappears.
Case 2: Cat’s Got Your Files, Lynx Ransomware
- The Lynx group gained access using valid Remote Desktop Protocol credentials. No brute force. No exploit.
- Domain administrator access was achieved rapidly after initial entry
- Data was exfiltrated before ransomware was deployed, creating leverage independent of encryption
- Backup systems were located and deleted to prevent recovery
- The operation was structured and patient, designed to maximise impact before triggering any alerts
Implication: This attack did not start with a vulnerability. It started with a username and a password. For organisations investing heavily in perimeter controls and patch management, this case highlights a harder question: how well do you understand who has valid access to your environment, and what they could do with it? Identity is not a secondary concern. In many attacks, it is the primary entry point.
Case 3: From a Single Click: Lunar Spider and a Near Two-Month Intrusion
- A single user action gave Lunar Spider an initial foothold
- Multiple tools were deployed across the environment including Brute Ratel, Cobalt Strike and a custom backdoor
- The group moved carefully over nearly two months, maintaining persistence throughout
- Data was exfiltrated over an extended period
- Ransomware was never deployed. The goal was intelligence and sustained access, not disruption
Implication: This case challenges a common assumption. If nothing has visibly broken, nothing is wrong. Nearly two months of undetected access is not unusual for organised threat groups operating with patience and clear objectives. For security teams whose detection capability has only ever been tested in scheduled exercises, this raises a practical question: would you know if someone was already in your environment right now?
Key Patterns Across This Month’s Attacks
Three cases. Three different entry points. The same underlying behaviours running through all of them.
- Attackers return after initial access. Eviction does not guarantee safety. Harvested credentials and environmental knowledge persist long after the attacker appears to have left.
- Valid credentials are preferred over exploits. RDP and legitimate tooling dominated all three cases. Attackers are not breaking in. They are logging in.
- Backup systems are a deliberate target. Destroying recovery capability before deploying ransomware is now standard practice.
- Data theft precedes encryption. Exfiltration happened before ransomware was deployed in two of three cases, creating leverage independent of encryption.
- Dwell times range from days to months. Attackers operate on their own timeline, not yours.
These are not isolated incidents or edge cases. They are consistent patterns observed across different threat groups, different sectors and different entry points.
Attackers behave like operators, not scripts.
Why This Matters for Enterprise Security Teams
Most enterprise organisations invest in penetration testing, red team engagements and vulnerability scanning. These are valuable. But they share a fundamental limitation. They are point-in-time.
A penetration test tells you what your environment looked like during a defined window. A red team engagement ends when the clock runs out, often before the full impact of access has been explored. A vulnerability scan identifies weaknesses in isolation, without showing how they combine into a real attack path.
Consider what that means against the cases above.
- An attacker who returns eighteen days after eviction will not appear in a two-week engagement
- Credentials stolen during one intrusion and reused weeks later will not be flagged by a scanner
- Two months of quiet lateral movement and data exfiltration will not surface in a point-in-time report
This is not a criticism of those tools. They serve a purpose. But they were not designed to validate how an organisation performs under sustained, adaptive pressure. And that is precisely what the cases above represent.
The question is no longer simply “are we vulnerable?” It is: “how would we perform under sustained attack?”
