HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability
2.11.23  Ransom  The Hacker News

Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution.

"In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7 disclosed in a report published Wednesday.

"Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October."

The intrusions are said to involve the exploitation of CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands.

It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

The vulnerability affects the following versions -

Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Since the bug's disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, with Rapid7 noting that the behavior it observed in the two victim networks is "similar to what we would expect from exploitation of CVE-2023-46604."

Successful exploitation is followed by the adversary attempting to load remote binaries named M2.png and M4.png using the Windows Installer (msiexec).

Both the MSI files contain a 32-bit .NET executable named dllloader that, in turn, loads a Base64-encoded payload called EncDLL that functions akin to ransomware, searching and terminating a specific set of processes before commencing the encryption process and appending the encrypted files with the ".locked" extension.


Image Source: Shadowserver Foundation
The Shadowserver Foundation said it found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are located in China, the U.S., Germany, South Korea, and India.

In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.