Greater than 3,000 Web-accessible Apache ActiveMQ Servers are uncovered to a important distant code execution vulnerability that an attacker has begun actively focusing on to drop ransomware.
The Apache Software program Basis (ASF) disclosed the vulnerability, tracked as CVE-2023-46604, on Oct. 27. The bug permits a distant attacker with entry to an ActiveMQ message dealer to execute arbitrary instructions on affected programs. Proof-of-concept exploit code and full particulars of the vulnerability are publicly obtainable, which means that menace actors have each the means and the data to launch assaults in opposition to the vulnerability.
Exploit Exercise
Researchers at Rapid7 reported observing exploit exercise focusing on the flaw at two buyer places, beginning the identical day that ASF disclosed the menace. “In each cases, the adversary tried to deploy ransomware binaries heading in the right direction programs in an effort to ransom the sufferer organizations,” researchers from Rapid7’s managed detection and response crew mentioned a in weblog publish. They described each focused organizations as operating outdated variations of Apache ActiveMQ.
The researchers attributed the malicious exercise to the HelloKitty ransomware household, based mostly on the ransom be aware and different assault attributes. HelloKitty ransomware has been percolating within the wild since no less than 2020. Its operators have tended to favor double-extortion assaults wherein they haven’t simply encrypted the info but additionally stolen it as further leverage for extracting a ransom from victims.
The HelloKitty ransomware assaults leveraging the ActiveMQ flaw appeared considerably rudimentary. In one of many assaults, the menace actor made greater than a half dozen makes an attempt to encrypt the info, prompting the researchers to label to menace actor as “clumsy” of their report.
“Exploit code for this vulnerability has been publicly obtainable since final week, and our researchers have confirmed exploitability,” says Caitlin Condon, head of menace analysis at Rapid7. “The menace exercise Rapid7 noticed regarded like automated exploitation and wasn’t notably refined, so we’d advise that organizations patch rapidly to guard in opposition to potential future exploitation.”
Over 3,000 Techniques Weak to Assault
Some 3,329 Web-connected ActiveMQ programs are weak to assault through CVE-2023-46604, based on knowledge the ShadowServer group launched on Oct. 30.
ActiveMQ is a comparatively common open supply message dealer that facilitates messaging between totally different purposes, providers, and programs. The ASF describes the expertise because the “hottest open supply, multi-protocol, Java-based message dealer.” Information analytics agency Enlyft has estimated some 13,120 firms — principally small and midsize — use ActiveMQ.
CVE-2023-46604 impacts a number of variations of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Weak variations embrace Apache ActiveMQ variations earlier than 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module earlier than 5.18.3 and earlier than 5.17.6 The ASF assigned the vulnerability a most potential severity rating of 10.0 on the CVSS scale and has launched up to date variations of the affected software program. ASF has really helpful that organizations utilizing the expertise improve to the mounted model to mitigate danger.
CVE-223-466604 is an insecure deserialization bug — a sort of vulnerability that occurs when an utility deserializes untrusted or manipulated knowledge with out first verifying if the info is legitimate. Adversaries usually exploit such flaws by sending a malicious crafted object that, when deserialized, executes malicious or unauthorized code, resulting in breaches and arbitrary code execution. Insecure deserialization bugs are widespread and have been a daily function on OWASP’s checklist of high 10 Internet utility vulnerability varieties for years.
