Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass

A fresh proof-of-concept (PoC) exploit for a critical security vulnerability in Apache ActiveMQ is making it easier than ever to achieve remote code execution (RCE) on servers running the open source message broker — avoiding notice while doing so.

The max-severity bug (CVE-2023-46604, CVSS score of 10) allows unauthenticated threat actors to run arbitrary shell commands, and it was patched by Apache late last month. Nonetheless, thousands of organizations remain vulnerable, a state of affairs that the HelloKitty ransomware gang and others have taken full advantage of.

While attacks have so far relied on a public PoC released shortly after the flaw's disclosure, researchers at VulnCheck said this week that they've engineered a more elegant exploit — one that cuts down on intruder noise by launching attacks from memory.

"That means the threat actors could have avoided dropping their tools to disk," according to VulnCheck's post detailing the new ActiveMQ exploit. "They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory-resident, perhaps avoiding detection from … managed [endpoint detection and response] EDR teams."

New ActiveMQ Exploit: Enabling a Silent Stalker

While attackers would need to delete any incriminating log messages in the activemq.log to fully cover their tracks, the VulnCheck PoC is still a significant improvement when it comes to making any attacks against the vulnerability stealthier, according to Matt Kiely, principal security researcher at Huntress.

"The proof of concept from VulnCheck is a marked evolution from the previous public PoCs, which generally relied on using the shell of the exploited system to execute code," he says, adding that the Huntress team confirmed that the new technique indeed works as advertised.

Further, "this specific attack is trivial to exploit if an attacker can access the vulnerable instance of ActiveMQ," he says, adding that more evolutions and improvements in exploit development are sure to come.

Thus, admins should be patching CVE-2023-46604 immediately, or removing the servers from the Internet. It's also important to be aware that the risk from an attack stretches well beyond ransomware, Kiely adds.

"Potential results of exploitation [include] techniques like account access removal, data destruction, defacement, resource hijacking, and many others," he explains. "Attackers may even elect to do nothing at all and simply wait on an exploited server to stage further attacks" — something, it should be noted, that the silent VulnCheck PoC can more easily enable.