A recently developed proof-of-concept (PoC) exploit is taking advantage of a critical security vulnerability (CVE-2023-46604) in Apache ActiveMQ, an open-source message broker. This exploit simplifies the process of remote code execution (RCE) on servers that use ActiveMQ, while also remaining undetected.
The vulnerability, which has a maximum severity score of 10, allows threat actors without authentication to execute any shell commands they wish. Apache managed to patch this bug in the previous month, but many organizations have yet to apply this fix and remain exposed to potential attacks. The HelloKitty ransomware gang is among the groups that have exploited this vulnerability.
Previously, attacks have been based on a public PoC that was released shortly after the vulnerability was disclosed. However, researchers have now developed a more advanced exploit that reduces the visibility of intruders by initiating attacks from memory. According to the researchers, "That means the threat actors could have avoided dropping their tools to disk. They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory-resident, perhaps avoiding detection from … managed [endpoint detection and response] EDR teams."
While attackers would still need to erase any revealing log messages in the activemq.log to completely hide their activities, this new PoC represents a significant step forward in making attacks on this vulnerability more stealthy. Matt Kiely, a principal security researcher at Huntress, attests to the effectiveness of this new technique, stating that the Huntress team has confirmed its functionality.
Kiely also warns that this specific attack is easy to execute if the attacker can access a vulnerable ActiveMQ instance. He anticipates further advancements in exploit development and urges administrators to immediately patch CVE-2023-46604 or disconnect the servers from the internet. Beyond the obvious risk of ransomware, Kiely cautions that an attack could lead to account access removal, data destruction, defacement, resource hijacking, and other potential outcomes. He also points out that attackers could choose to bide their time on an exploited server to plan further attacks, a strategy that the new PoC could facilitate more easily.