This Cybersecurity Threat Advisory discusses a new critical security flaw that was discovered in the Apache ActiveMQ open-source message broker service. This security flaw can potentially result in remote code execution, which is currently being exploited by the HelloKitty ransomware group. In two reported incidents, attackers attempted to deploy ransomware binaries to targeted systems to hold organizations for ransom.
What is the threat?
The vulnerability, known as CVE-2023-46604, is a remote code execution vulnerability, allowing threat actors with remote network access to a broker to run arbitrary shell commands via manufactured serialized class types in the OpenWire protocol to cause the broker to represent any class on the classpath. While complex in its execution, the primary cause of this vulnerability is insecure deserialization. Successful exploitation is followed by the loading of remote binaries named M2.ping and M4.ping, each containing a 32-bit .NET executable name “dllloader”. This executable then loads a Base64-encoded payload known as “EncDLL” to find and terminate specific processes before encrypting and locking the files behind a “.locked” extension.
Why is it noteworthy?
This vulnerability has been given the highest CVSS score of 10.0, a maximum severity alert. There have been many ransomware attack attempts reported. Fortunately, the attempts were unsuccessful and assets were not encrypted.
What is the exposure or risk?
This vulnerability affects multiple versions of Apache ActiveMQ, including 5.18.0 before 5.18.3; 5.17.0 before 5.17.6; and 5.16.0 before 5.16.7, among others. Since the vulnerability’s disclosure, a proof-of-concept exploit code, along with other technical specifics, has been made public. The most vulnerable servers are found in China, the US, Germany, South Korea, and India.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impacts of the HelloKitty vulnerability:
- Users are recommended to update to the fixed version of ActiveMQ as soon as possible.
- Regularly scan your networks for any indicators of compromise.
- Utilize Barracuda XDR to perform a vulnerability scan in your environment to identify any IOCs associated with this vulnerability.
For more in-depth information for the above recommendations, please visit the following links:
- Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog
- HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability (thehackernews.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.