The Managed Detection and Response team at Rapid7 has discovered a new cyber threat targeting Apache ActiveMQ servers. The threat actors are exploiting a vulnerability, CVE-2023-46604, to deploy the HelloKitty ransomware. The ransomware has caused significant disruption to various organizations, with the potential to cause complete organizational paralysis.
On October 27, two customer environments were targeted by the attackers, who used the HelloKitty ransomware. The ransomware had been leaked on the internet earlier in the month. The method of attack used in these incidents indicated that the vulnerability could potentially affect systems running outdated versions of ActiveMQ.
Apache made public the vulnerability and released updated versions of ActiveMQ on October 25, 2023. Both the proof-of-concept exploit code and details about the vulnerability are available to the public. Patches to protect against the exploit were also released, with upgrade recommendations for versions 5.15.16 to 5.18.3.
The attackers exploited the vulnerability consistently, with Java.exe indicating the presence of the vulnerable application. The malicious process was often hosted in D:Program filesActiveMQapache-activemq-5.15.3binwin64. The HelloKitty ransomware was deployed on the target systems, distributed as MSI files named M2.png and M4.png. The ransomware encrypts specific file extensions using the RSACryptoServiceProvider function and adds the .locked extension to encrypted files.
Rapid7 observed the ransomware attempting to communicate with an HTTP server at 172.245.16[.]125. The ransom note directs victims to communicate via the email address service@hellokittycat[.]online. An analysis of the MSI files, disguised as images, revealed a .NET executable named dllloader, which carries the EncDLL binary, a payload similar to ransomware. The payload searches for and halts processes, using the RSACryptoServiceProvider function to encrypt files.
To protect against the Apache ActiveMQ CVE-2023-46604 vulnerability, it is recommended to upgrade to the latest version of ActiveMQ as soon as possible.