Attackers have begun exploiting a crucial distant code execution vulnerability patched final week in Apache ActiveMQ to deploy ransomware in enterprise networks. Customers are urged to improve the software program as quickly as potential. “Starting Friday, October 27, Rapid7 Managed Detection and Response (MDR) recognized suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two totally different buyer environments,” researchers from security agency Rapid7 stated in a report. “In each cases, the adversary tried to deploy ransomware binaries on the right track techniques in an effort to ransom the sufferer organizations.”
Primarily based on the ransom word left behind and different particulars of the assault, Rapid7 believes the attackers deployed the HelloKitty ransomware program whose supply code was leaked on underground boards earlier this month.
A crucial Java deserialization flaw
Apache ActiveMQ is a Java open-source message dealer that helps a number of transmission protocols for transferring messages and knowledge between totally different purposes and shoppers written in several programming languages. It’s a in style middleware utilized in creating enterprise software program options.
On October 25, builders of ActiveMQ launched security updates to patch a crucial vulnerability tracked as CVE-2023-46604 that may result in distant code execution. Vulnerability particulars and a proof-of-concept exploit have since been posted on-line by security researchers. “The vulnerability might enable a distant attacker with community entry to a dealer to run arbitrary shell instructions by manipulating serialized class sorts within the OpenWire protocol to trigger the dealer to instantiate any class on the classpath,” the official advisory reads.
In response to Rapid7, the flaw stems from insecure deserialization. Serialization is the conversion of knowledge right into a binary format for transmission over the wire and is a standard approach utilized in Java purposes. Deserialization is the reversal of that course of that occurs on the receiving finish and if the unique enter shouldn’t be correctly sanitized, it may well result in security points. Java deserialization is its personal class of vulnerabilities that has grown in reputation in recent times with many initiatives affected by such flaws.
The HelloKitty ransomware
HelloKitty is a ransomware program that first appeared in 2020 and has been issued in a number of high-profile assaults, together with one in opposition to recreation studio CD Projekt Pink in February 2021 when attackers claimed to have stolen the supply code for a number of in style video games together with Cyberpunk 2077, Witcher 3, and Gwent.
