Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open up-supply information broker company that could outcome in distant code execution.
“In each occasions, the adversary attempted to deploy ransomware binaries on target methods in an energy to ransom the target companies,” cybersecurity firm Rapid7 disclosed in a report revealed Wednesday.
“Centered on the ransom notice and out there evidence, we attribute the action to the HelloKitty ransomware family, whose supply code was leaked on a discussion board in early Oct.”
The intrusions are stated to entail the exploitation of CVE-2023-46604, a distant code execution vulnerability in Apache ActiveMQ that makes it possible for a menace actor to run arbitrary shell commands.
It really is really worth noting that the vulnerability carries a CVSS score of 10., indicating most severity. It has been addressed in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 introduced late previous month.
The vulnerability impacts the adhering to versions –
- Apache ActiveMQ 5.18. just before 5.18.3
- Apache ActiveMQ 5.17. right before 5.17.6
- Apache ActiveMQ 5.16. in advance of 5.16.7
- Apache ActiveMQ just before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18. before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17. in advance of 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16. before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8. prior to 5.15.16
Since the bugs’ disclosure, a proof-of-thought (PoC) exploit code and additional technological particulars have been designed publicly obtainable, with Fast7 noting that the behavior it noticed in the two target networks is “comparable to what we would be expecting from exploitation of CVE-2023-46604.”
Successful exploitation is followed by the adversary making an attempt to load distant binaries named M2.png and M4.png making use of the Windows Installer (msiexec).
Both equally the MSI documents include a 32-bit .NET executable named dllloader that, in change, masses a Base64-encoded payload called EncDLL that features akin to ransomware, looking and terminating a distinct set of procedures right before commencing the encryption procedure and appending the encrypted documents with the “.locked” extension.
Image Source: Shadowserver Foundation
The Shadowserver Foundation reported it located 3,326 internet-available ActiveMQ circumstances that are vulnerable to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are situated in China, the U.S., Germany, South Korea, and India.
In light of the active exploitation of the flaw, customers are encouraged to update to the preset version of ActiveMQ as quickly as feasible and scan their networks for indicators of compromise.
Uncovered this post exciting? Stick to us on Twitter and LinkedIn to read through a lot more exclusive content material we publish.
Some parts of this article are sourced from:
thehackernews.com