Over 3,000 Internet-accessible Apache ActiveMQ Servers are currently at risk due to a critical remote code execution vulnerability (CVE-2023-46604) [3]. This vulnerability is being actively exploited by threat actors to distribute ransomware [3]. In this article, we will provide a detailed description of the vulnerability, the observed exploit activity [3], and the recommended actions to mitigate the risk.
Description
The vulnerability, known as CVE-2023-46604 [1] [2] [4], is an unauthenticated deserialization bug in ActiveMQ’s OpenWire transport connector [6]. It allows attackers to execute arbitrary commands on affected systems with the same privileges as the ActiveMQ server [6]. This vulnerability has a maximum severity score of 10.0 and enables threat actors to run arbitrary shell commands.
Researchers have observed exploit activity targeting this vulnerability [3], with the HelloKitty ransomware family being used in the attacks [1] [3]. While the attacks appear to be somewhat rudimentary [3], organizations are advised to patch their systems quickly to protect against potential future exploitation [3].
The Apache Software Foundation has released updated versions of the affected software and recommends upgrading to mitigate the risk [3]. There are approximately 3,200 vulnerable ActiveMQ installations accessible from the internet [6], with a majority of them located in Asia [6], Europe [6], and North America [6]. Enterprise admins are advised to upgrade their ActiveMQ installation and actively monitor for signs of compromise [6].
Rapid7 has provided helpful details about the attackers’ behavior and indicators of compromise [6]. The Shadowserver Foundation has also identified over 3,000 vulnerable ActiveMQ instances [4]. Users are advised to update to the fixed version of ActiveMQ and scan their networks for signs of compromise [4].
Huntress [5], a cybersecurity company, has observed this vulnerability being exploited in their monitored environment and urges immediate patching of systems [5]. Patches are available for versions 5.15.16, 5.16.7, 5.17.6 [5], and 5.18.3 [5]. A command line tool can be used to determine the version of ActiveMQ [5]. If patching is not possible [5], blocking the systems from internet access is recommended [5].
The attack process involves establishing a connection to ActiveMQ via the OpenWire protocol and sending a crafted packet to unmarshal a controlled class [5], triggering the server to load a class configuration XML file from a remote URL [5]. The loaded class can execute various post-exploitation actions [5]. An example of successful exploitation is demonstrated by executing notepad.exe and creating a file in the vulnerable server’s directory [5]. The exploit can be automated using a Metasploit module [5].
HelloKitty ransomware [1] [2] [3] [6], also known as FiveHands [2], has been used in high-profile attacks and employs double extortion tactics [2]. The attackers behind the exploitation of CVE-2023-46604 may be the original gang or someone who adopted the program after it was leaked [2]. ActiveMQ users are advised to install available updates and follow the Apache Foundation’s guidance on hardening security [2].
Conclusion
The vulnerability in Apache ActiveMQ poses a significant risk to organizations, as threat actors are actively exploiting it to distribute ransomware. It is crucial for organizations to promptly patch their systems and upgrade to the fixed version of ActiveMQ to mitigate the risk. Additionally, active monitoring for signs of compromise and following the Apache Foundation’s guidance on hardening security are recommended. By taking these actions, organizations can protect themselves against potential future exploitation and minimize the impact of this vulnerability.
References
[1] https://duo.com/decipher/threat-actors-target-apache-activemq-flaw
[2] https://www.csoonline.com/article/657956/hellokitty-ransomware-deployed-via-critical-apache-activemq-flaw.html
[3] https://www.darkreading.com/attacks-breaches/attackers-target-max-severity-apache-activemq-bug-to-drop-ransomware
[4] https://thehackernews.com/2023/11/hellokitty-ransomware-group-exploiting.html
[5] https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604
[6] https://www.helpnetsecurity.com/2023/11/02/cve-2023-46604-ransomware/
