The recently disclosed Apache ActiveMQ remote code execution (RCE) flaw, CVE-2023-46604 is being exploited to spread ransomware binaries on target systems and demand a ransom from the victim organizations.
Based on the evidence and the ransom note, Rapid7 experts have linked the activity to the HelloKitty ransomware family, whose source code was made public on a forum in early October.
CVE-2023-46604 is a critical severity RCE with a CVSS v3 score of 10.0, exploiting the serialized class types in the OpenWireprotocol that enables attackers to execute arbitrary shell commands.
“The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath,” ShadowServer reports.
The compromised environments’ indications were present in both of the impacted customer environments, which were using outdated Apache ActiveMQ versions.
Affected Versions
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
On October 25, 2023, Apache announced the issue and updated ActiveMQ. Details on vulnerabilities and proof-of-concept exploit code are both made publicly available.
HelloKitty Ransomware Exploiting Apache ActiveMQ Flaw
In 2020, the ransomware program HelloKitty appeared and has since been used in other high-profile attacks.
In this case, the attacker attempts to use the Windows Installer (msiexec) to load remote binaries with the names M2.png and M4.png after successful exploitation.
The 32-bit.NET executable named dllloader, contained in both MSI files, loads a Base64-encoded payload called EncDLL. EncDLL acts similarly to ransomware, searching and ending a particular set of processes before starting the encryption process and appending the encrypted files with the “.locked” extension.
Fix Released
The issues have been addressed in 5.15.16, 5.16.7, 5.17.6, or 5.18.3 versions.
Mitigation
As soon as feasible, organizations should upgrade to an addressed version of ActiveMQ and examine their systems for signs of vulnerability.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.