A lately patched vulnerability affecting the Apache ActiveMQ message dealer is being exploited by cybercriminals in an obvious try and ship ransomware.
Apache ActiveMQ is described because the “hottest open supply, multi-protocol, Java-based message dealer”. A number of 5.x.x variations of the product, in addition to the Apache ActiveMQ Legacy OpenWire Module, are affected by CVE-2023-46604, a security gap that may be exploited for distant code execution.
“The vulnerability might enable a distant attacker with community entry to a dealer to run arbitrary shell instructions by manipulating serialized class varieties within the OpenWire protocol to trigger the dealer to instantiate any class on the classpath,” builders defined in an advisory.
CVE-2023-46604 has been patched with the discharge of variations 5.15.16, 5.16.7, 5.17.6 and 5.18.3, which Apache ActiveMQ customers ought to set up as quickly as potential.
The patch was dedicated to the supply code on October 24 and the existence of the vulnerability was made public on October 27.
On the identical day, cybersecurity agency Rapid7 began seeing in-the-wild exploitation makes an attempt.
In these assaults, cybercriminals tried to use CVE-2023-46604 to ship ransomware to the focused system. The assaults had been linked to the HelloKitty ransomware household, whose supply code was leaked roughly one month in the past.
“The menace actor’s makes an attempt at ransomware deployment had been considerably clumsy: In one of many incidents Rapid7 noticed, there have been greater than half a dozen unsuccessful makes an attempt to encrypt property,” Rapid7 stated in a weblog submit.
On October 30, the Shadowserver Basis reported seeing over 7,000 internet-exposed ActiveMQ cases, together with roughly 3,300 that had been susceptible to assaults exploiting CVE-2023-46604.
Technical particulars and proof-of-concept (PoC) code for CVE-2023-46604 are publicly out there and so they might be helpful to different menace teams trying to exploit the vulnerability.
This isn’t the primary Apache ActiveMQ vulnerability that has been exploited within the wild. CISA’s Identified Exploited Vulnerabilities Catalog consists of CVE-2016-3088, which permits distant attackers to add and execute arbitrary information.
