Cybersecurity researchers are warning of suspected exploitation of a not too long ago disclosed crucial safety flaw within the Apache ActiveMQ open-source message dealer service that would end in distant code execution.
“In each cases, the adversary tried to deploy ransomware binaries heading in the right direction methods in an effort to ransom the sufferer organizations,” cybersecurity agency Rapid7 disclosed in a report revealed Wednesday.
“Based mostly on the ransom observe and out there proof, we attribute the exercise to the HelloKitty ransomware household, whose supply code was leaked on a discussion board in early October.”
The intrusions are stated to contain the exploitation of CVE-2023-46604, a distant code execution vulnerability in Apache ActiveMQ that enables a menace actor to run arbitrary shell instructions.
It is price noting that the vulnerability carries a CVSS rating of 10.0, indicating most severity. It has been addressed in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability impacts the next variations –
- Apache ActiveMQ 5.18.0 earlier than 5.18.3
- Apache ActiveMQ 5.17.0 earlier than 5.17.6
- Apache ActiveMQ 5.16.0 earlier than 5.16.7
- Apache ActiveMQ earlier than 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 earlier than 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 earlier than 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 earlier than 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 earlier than 5.15.16
For the reason that bug’s disclosure, a proof-of-concept (PoC) exploit code and extra technical specifics have been made publicly out there, with Rapid7 noting that the habits it noticed within the two sufferer networks is “just like what we might anticipate from exploitation of CVE-2023-46604.”
Profitable exploitation is adopted by the adversary making an attempt to load distant binaries named M2.png and M4.png utilizing the Home windows Installer (msiexec).
Each the MSI information comprise a 32-bit .NET executable named dllloader that, in flip, hundreds a Base64-encoded payload referred to as EncDLL that features akin to ransomware, looking out and terminating a selected set of processes earlier than commencing the encryption course of and appending the encrypted information with the “.locked” extension.
Picture Supply: Shadowserver Basis |
The Shadowserver Basis stated it discovered 3,326 internet-accessible ActiveMQ cases which might be vulnerable to CVE-2023-46604 as of November 1, 2023. A majority of the susceptible servers are situated in China, the U.S., Germany, South Korea, and India.
In gentle of the lively exploitation of the flaw, customers are beneficial to replace to the fastened model of ActiveMQ as quickly as doable and scan their networks for indicators of compromise.