Apache ActiveMQ Vulnerability Exploited to Deploy Ransomware on Over 3,000 Systems

November 2, 2023

Attackers are taking advantage of a severe vulnerability in Apache ActiveMQ to distribute ransomware. This vulnerability, identified as CVE-2023-46604, is currently exposing more than 3,000 internet-accessible systems to potential attacks. The Apache Software Foundation (ASF) revealed the existence of this vulnerability on October 27. The flaw enables a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems.

Publicly available proof-of-concept exploit code and detailed information about the vulnerability provide threat actors with the tools and knowledge necessary to exploit the flaw. Rapid7 researchers have detected exploit activity aimed at this vulnerability at two client locations, beginning on the same day that ASF announced the threat.

According to the researchers, the attackers attempted to deploy ransomware binaries on the targeted systems in both cases, aiming to extort the victim organizations. The targeted organizations were found to be using outdated versions of Apache ActiveMQ. The researchers identified the malicious activity as being associated with the HelloKitty ransomware family, based on the ransom note and other characteristics of the attack. The HelloKitty ransomware has been active since at least 2020, and its operators typically use double-extortion tactics - not only encrypting the data but also stealing it to increase their leverage in demanding a ransom from victims.

The HelloKitty ransomware attacks exploiting the ActiveMQ vulnerability seemed somewhat basic. In one instance, the attacker attempted to encrypt the data over half a dozen times, leading the researchers to describe the threat actor as 'clumsy' in their report. 'Exploit code for this vulnerability has been publicly available since last week, and our researchers have confirmed exploitability,' said Caitlin Condon, head of threat research at Rapid7. 'The threat activity Rapid7 observed looked like automated exploitation and wasn't particularly sophisticated, so we would advise that organizations patch quickly to protect against potential future exploitation.'

As of October 30, according to data released by the ShadowServer organization, some 3,329 internet-connected ActiveMQ systems are vulnerable to attack via CVE-2023-46604. ActiveMQ is a widely used open source message broker facilitating communication between different applications, services, and systems. Enlyft, a data analytics firm, has estimated that around 13,120 companies, mainly small and medium-sized, use ActiveMQ.

The ASF has assigned the vulnerability a maximum severity score of 10.0 on the CVSS scale and has released updated versions of the affected software. It is advising organizations using the technology to upgrade to the fixed version to mitigate risk. The vulnerability, CVE-223-466604, is an insecure deserialization bug, a type of vulnerability that occurs when an application deserializes untrusted or manipulated data without first validating its legitimacy. Such flaws are often exploited by adversaries who send a maliciously crafted object which, when deserialized, executes malicious or unauthorized code, leading to breaches and arbitrary code execution.

Related News

• HelloKitty Ransomware Targets Apache ActiveMQ Servers
• Over 3,000 Apache ActiveMQ Servers Exposed to Critical RCE Attacks Online

Latest News

• North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
• U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta
• CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets