Skip links

Critical Apache ActiveMQ flaw under attack by ‘clumsy’ ransomware crims

Security researchers have confirmed that ransomware criminals are capitalizing on a maximum-severity vulnerability in Apache ActiveMQ.

Announced on October 25 and tracked as CVE-2023-46604, the insecure deserialization vulnerability allows for remote code execution (RCE) on affected versions.

“Apache ActiveMQ is vulnerable to remote code execution,” Apache said in its advisory. “The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

The developers released fixes for the affected versions on the same day, with users all urged to upgrade as soon as possible.

Affected versions include:

  • 5.18.0 versions before 5.18.3
  • 5.17.0 versions before 5.17.6
  • 5.16.0 versions before 5.16.7
  • All versions prior to 5.15.16
  • OpenWire Module 5.18.0 versions before 5.18.3
  • OpenWire Module 5.17.0 versions before 5.17.6
  • OpenWire Module 5.16.0 versions before 5.16.7
  • OpenWire Module 5.8.0 versions before 5.15.16

Security shop Rapid7 has now published its own investigation into active exploitation of the issue on two of its customers’ environments, revealing that both had been targeted with ransomware.

“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October,” it said.

“Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.”

Attribution for the attack hasn’t been firmly pinned on HelloKitty or one of its affiliates. There remains a possibility that a lone attacker could have used the source code of the group’s 2020 variant that was leaked last month in the attacks.

The experts’ assessment of the attempts to deploy ransomware was that they were “clumsy.” Indicating a potentially low-skill individual being behind the attacks, Rapid7 said more than half a dozen attempts to encrypt files were made – all of which were unsuccessful.

Internet security non-profit Shadowserver started tracking vulnerable Apache ActiveMQ services on October 30 and found that almost half of all reachable services (3,329) were vulnerable to CVE-2023-46604.

The most recent available reading, taken November 1, shows that just 105 services have been patched, leaving considerably more than 3,000 still open to attacks.

The majority of vulnerable services are based in China, with 1,349 still unpatched. The next most vulnerable nation is the US with 530, then Germany with 154.

HelloKitty in brief

The HelloKitty group is perhaps most infamous for its 2021 attack on CD Projekt Red. HelloKitty reportedly sold the company’s data – which was claimed to include source code for its flagship games – to an unnamed bidder following an auction, the buyout sum for which was set at $7 million.

According to Emsisoft researchers, the data was sold under the condition that it would not be leaked by the buyer, though they said the more likely scenario is that no one wanted to buy the data and HelloKitty instead falsely claimed it was sold to save face. Months later, the video game publisher became aware that its data was circulating online.

First spotted in 2020, the group is mainly known for targeting smaller businesses, according to SentinelOne, and changes its tooling and tactics regularly.

It was originally thought to target Windows machines only, but in 2021 a Linux variant was spotted in the wild, a discovery that led researchers to find earlier Linux versions dating back to around the group’s formation.

A now-removed data breach disclosure at an Oregon healthcare company previously revealed that the Federal Bureau of Investigations believed the group to be operating out of Ukraine, but neither the FBI nor any security experts have officially attributed the group to individuals in the country. ®

Source