A critical security flaw [1] [2] [4] [5], known as CVE-202346604 [2] [3] [4] [5], has been discovered in Apache ActiveMQ, causing concern in the cybersecurity community [4].
Description
This vulnerability allows for arbitrary code execution in memory, enabling threat actors to remotely run arbitrary shell commands [2] [4] [5]. Ransomware outfits [1] [4] [5], such as the Hello Kitty group, have actively exploited this vulnerability to deploy ransomware strains like TellYouThePass and a remote access trojan called SparkRAT. These attacks utilize a public proof-of-concept exploit disclosed in October 2023 [4] [5], which leverages the ClassPathXmlApplicationContext class in the Spring framework to load a malicious XML bean configuration file over HTTP and achieve unauthenticated remote code execution [5]. VulnCheck has developed an improved exploit using the FileSystemXmlApplicationContext class and a specially crafted SpEL expression to achieve the same results and even obtain a reverse shell [5]. However, this method triggers an exception message in the activemq.log file [5], requiring attackers to clean up the forensic trail [5].
To mitigate the risk of stealthy attacks using CVE-202346604 [5], it is crucial to patch ActiveMQ servers and remove them from the internet [5]. Apache has released patches for the vulnerability in ActiveMQ versions 5.1516, 5.167, 5.176 [2] [5], and 5.183 [5]. The Hello Kitty ransomware group has exploited this vulnerability by manipulating serialized class types within the OpenWire protocol, allowing them to execute arbitrary shell commands remotely and load remote binaries that function as ransomware. The Proof of Concept (PoC) exploit code for CVE-202346604 has been publicly disclosed on GitHub [3], increasing the risk of attacks [3]. Apache has issued an advisory recommending specific steps to mitigate the threat [3], emphasizing the importance of swift action and installing the recommended software updates to minimize risks.
Conclusion
To address the impacts of CVE-202346604, it is crucial to promptly patch ActiveMQ servers and follow the recommended steps to mitigate the threat. Staying informed about the latest detection methods and threat intelligence is essential in defending against potential attacks [3]. The disclosure of the PoC exploit code on GitHub raises the risk of attacks, highlighting the need for vigilance and proactive measures.
References
[1] https://patabook.com/technology/2023/11/16/new-poc-exploit-for-apache-activemq-flaw-could-let-attackers-fly-under-the-radar/
[2] https://www.cyberevive.com/2023/11/15/new-poc-exploit-for-apache-activemq-flaw-could-let-attackers-fly-under-the-radar/
[3] https://tuxcare.com/blog/protecting-against-apache-activemq-vulnerability/
[4] https://cisotimes.com/new-poc-for-apache-activemqs-critical-flaw-unleashes-a-wave-of-cyber-mayhem/
[5] https://thehackernews.com/2023/11/new-poc-exploit-for-apache-activemq.html