This week, researchers from Rapid7 have issued a warning regarding the suspected exploitation of a critical vulnerability, tracked as CVE-2023-46604, in Apache ActiveMQ. Apache ActiveMQ is an open-source message broker software, serving as a message-oriented middleware platform. It facilitates communication and data exchange between various applications.
Rapid7's investigation revealed that threat actors (HelloKitty) attempted to exploit CVE-2023-46604 to deploy HelloKitty ransomware in two separate customer environments. The ransomware deployment was observed in cases where organizations were running outdated versions of Apache ActiveMQ.
The vulnerability in question is a remote code execution flaw affecting Apache ActiveMQ, allowing remote attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Apache released updated versions of ActiveMQ to address this vulnerability. Impacted versions of Apache ActiveMQ include:
Since the disclosure of the vulnerability, a proof-of-concept (PoC) exploit code and technical details have become publicly available. The Shadowserver Foundation reported that as of October 30, approximately 7,249 Apache ActiveMQ instances were exposed to the internet, with around 3,329 of them vulnerable to the flaw. Organizations are strongly advised to update to fixed versions of Apache ActiveMQ as soon as possible.
INDICATORS OF COMPROMISE (IoCs)
Rapid7's security team looked into CVE-2023-46604 and examined the exploit code available to the public. During their testing, they found that the activemq.log file recorded a single line that confirmed the successful use of CVE-2023-46604. In this specific case, the individual responsible (in this instance, a researcher) operated from the IP address 192[.]168[.]86[.]35 and targeted TCP port 61616. It's important to note that the level of detail in the log entries can be different, depending on the logging settings, which can be adjusted as needed.
Rapid7 has also listed other IoCs found below:
Files dropped and executed via the msiexec command:
Hashes that are part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125:
oss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (openwall.com)