Attackers exploiting Apache ActiveMQ flaw to deliver ransomware (CVE-2023-46604)

Ransomware-wielding attackers are trying to break into servers running outdated versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604).

“Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” Rapid7 researchers shared on Wednesday.

“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.”

About CVE-2023-46604

Apache ActiveMQ is an open source message broker – a program that translates messages from one messaging protocol to another, allowing communication between diverse services.

ActiveMQ supports a variety of protocols, including OpenWire (the native wire format of ActiveMQ), MQTT (messaging protocol for IoT), AMQP (protocol for business messaging and IoT device management), REST, STOMP, and WebSockets.

CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector, which is enabled by default.

“Successful exploitation allows an attacker to execute arbitrary code with the same privileges of the ActiveMQ server,” Rapid7’s researchers explained.

CVE-2023-46604 affects:

• Apache ActiveMQ 5.18.0 before 5.18.3
• Apache ActiveMQ 5.17.0 before 5.17.6
• Apache ActiveMQ 5.16.0 before 5.16.7
• Apache ActiveMQ before 5.15.16
• Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

ActiveMQ project maintainers have released the fixed versions on October 25 and 26. On October 27 – the same day that the security researcher who goes by “X1r0z” published a proof of concept exploit for CVE-2023-46604 – they disclosed that they have patched it.

Mitigation and remediation

According to the Shadowserver Foundation, there are around 3,200 vulnerable ActiveMQ installations accessible from the internet. Most od them are in Asia, Europe and North America.

Enterprise admins are advised to upgrade their ActiveMQ installation to a fixed release and look for signs of compromise. Rapid7 has provided helpdul details about the attackers’ behavior and indicators of compromise.

UPDATE (November 6, 2023, 07:30 a.m. ET):

“Arctic Wolf Labs has gathered forensic evidence showing that CVE-2023-46604 was being exploited in the wild as early as October 10, 2023, prior to the disclosure of a CVE or proof of concept exploitation code. After exploiting CVE-2023-46604, 45.32.120[.]181 was observed deploying SparkRAT[2],” Arctic Wolf researchers have shared.

“More recently, two separate ransomware campaigns were observed exploiting this vulnerability for initial access, originating from the IP address 172.245.16[.]125. This IP address was observed delivering additional payloads as part of the ransomware attacks.”

They say that IoCs (IP address, domains, Bitcoin wallet address) associated with this intrusion overlap with those of previous intrusions where the TellYouThePass ransomware was deployed.

ActiveMQ maintainers have confirmed that both ActiveMQ “Classic” and ActiveMQ Artemis have the vulnerable code, but that Artemis “doesn’t ship Spring so there is currently no known exploit.”

Security updates for both flavors are available.