Cybersecurity researchers are warning of suspected exploitation of a not too long ago disclosed crucial security flaw within the Apache ActiveMQ open-source message dealer service that might lead to distant code execution.
“In each situations, the adversary tried to deploy ransomware binaries heading in the right direction programs in an effort to ransom the sufferer organizations,” cybersecurity agency Rapid7 disclosed in a report revealed Wednesday.
“Primarily based on the ransom observe and obtainable proof, we attribute the exercise to the HelloKitty ransomware household, whose supply code was leaked on a discussion board in early October.”
The intrusions are stated to contain the exploitation of CVE-2023-46604, a distant code execution vulnerability in Apache ActiveMQ that permits a risk actor to run arbitrary shell instructions.
It is value noting that the vulnerability carries a CVSS rating of 10.0, indicating most severity. It has been addressed in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability impacts the next variations –
- Apache ActiveMQ 5.18.0 earlier than 5.18.3
- Apache ActiveMQ 5.17.0 earlier than 5.17.6
- Apache ActiveMQ 5.16.0 earlier than 5.16.7
- Apache ActiveMQ earlier than 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 earlier than 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 earlier than 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 earlier than 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 earlier than 5.15.16
For the reason that bugs’ disclosure, a proof-of-concept (PoC) exploit code and extra technical specifics have been made publicly obtainable, with Rapid7 noting that the habits it noticed within the two sufferer networks is “just like what we’d count on from exploitation of CVE-2023-46604.”
Profitable exploitation is adopted by the adversary making an attempt to load distant binaries named M2.png and M4.png utilizing the Home windows Installer (msiexec).
Each the MSI information comprise a 32-bit .NET executable named dllloader that, in flip, hundreds a Base64-encoded payload referred to as EncDLL that capabilities akin to ransomware, looking and terminating a selected set of processes earlier than commencing the encryption course of and appending the encrypted information with the “.locked” extension.
 |
| Picture Supply: Shadowserver Basis |
The Shadowserver Basis stated it discovered 3,326 internet-accessible ActiveMQ situations which are vulnerable to CVE-2023-46604 as of November 1, 2023. A majority of the susceptible servers are positioned in China, the U.S., Germany, South Korea, and India.
In mild of the lively exploitation of the flaw, customers are advisable to replace to the fastened model of ActiveMQ as quickly as doable and scan their networks for indicators of compromise.
