The TellYouThePass ransomware is now targeting Apache ActiveMQ servers, exploiting a critical remote code execution (RCE) vulnerability. This flaw, known as CVE-2023-46604, is a high-risk bug in the ActiveMQ open-source message broker that allows unauthenticated attackers to execute arbitrary shell commands on affected servers. Apache had issued security patches to rectify the vulnerability on October 27, but cybersecurity firms ArcticWolf and Huntress Labs discovered that threat actors had been exploiting it to deploy SparkRAT malware for over two weeks since at least October 10.
According to data from ShadowServer, a threat monitoring service, more than 9,200 Apache ActiveMQ servers are exposed online, with over 4,770 susceptible to CVE-2023-46604 exploits. Given that Apache ActiveMQ is commonly used as a message broker in enterprise settings, the application of security updates is urgent. Administrators are urged to immediately patch all vulnerable systems by upgrading to ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
A week after Apache fixed this crucial ActiveMQ vulnerability, both Huntress Labs and Rapid7 reported seeing attackers exploiting the bug to deploy HelloKitty ransomware payloads on customers' networks. The attacks observed by the security researchers from both cybersecurity firms commenced on October 27, mere days after Apache issued the security patches.
Arctic Wolf Labs reported a day later that threat actors exploiting the CVE-2023-46604 flaw also use it for initial access in attacks targeting Linux systems and pushing the TellYouThePass ransomware. The security researchers also noted similarities between the HelloKitty and TellYouThePass attacks, with both campaigns sharing the same "email address, infrastructure, as well as bitcoin wallet addresses."
"Evidence of exploitation of CVE-2023-46604 in the wild from an assortment of threat actors with differing objectives demonstrates the need for rapid remediation of this vulnerability," warned the researchers at Arctic Wolf.
The TellYouThePass ransomware experienced a significant and sudden surge in activity after Log4Shell proof-of-concept exploits were released online two years ago. With its comeback as a Golang-compiled malware in December 2021, the ransomware strain also incorporated cross-platform targeting capabilities, enabling it to attack Linux and macOS systems (though macOS samples have yet to be detected in the wild).