Attackers Target Max-Severity Apache ActiveMQ Bug to Drop Ransomware

More than 3,000 Internet-accessible Apache ActiveMQ Servers are exposed to a critical remote code execution vulnerability that an attacker has begun actively targeting to drop ransomware.

The Apache Software Foundation (ASF) disclosed the vulnerability, tracked as CVE-2023-46604, on Oct. 27. The bug allows a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems. Proof-of-concept exploit code and full details of the vulnerability are publicly available, meaning that threat actors have both the means and the information to launch attacks against the vulnerability.

Exploit Activity

Researchers at Rapid7 reported observing exploit activity targeting the flaw at two customer locations, starting the same day that ASF disclosed the threat. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," researchers from Rapid7's managed detection and response team said a in blog post. They described both targeted organizations as running outdated versions of Apache ActiveMQ.

The researchers attributed the malicious activity to the HelloKitty ransomware family, based on the ransom note and other attack attributes. HelloKitty ransomware has been percolating in the wild since at least 2020. Its operators have tended to favor double-extortion attacks in which they have not just encrypted the data but also stolen it as additional leverage for extracting a ransom from victims.

The HelloKitty ransomware attacks leveraging the ActiveMQ flaw appeared somewhat rudimentary. In one of the attacks, the threat actor made more than a half dozen attempts to encrypt the data, prompting the researchers to label to threat actor as "clumsy" in their report.

"Exploit code for this vulnerability has been publicly available since last week, and our researchers have confirmed exploitability," says Caitlin Condon, head of threat research at Rapid7. "The threat activity Rapid7 observed looked like automated exploitation and wasn't particularly sophisticated, so we would advise that organizations patch quickly to protect against potential future exploitation."

Over 3,000 Systems Vulnerable to Attack

Some 3,329 Internet-connected ActiveMQ systems are vulnerable to attack via CVE-2023-46604, according to data the ShadowServer organization released on Oct. 30.

ActiveMQ is a relatively popular open source message broker that facilitates messaging between different applications, services, and systems. The ASF describes the technology as the "most popular open source, multi-protocol, Java-based message broker." Data analytics firm Enlyft has estimated some 13,120 companies — mostly small and midsize — use ActiveMQ.

CVE-2023-46604 affects multiple versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Vulnerable versions include Apache ActiveMQ versions before 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module before 5.18.3 and before 5.17.6 The ASF assigned the vulnerability a maximum possible severity score of 10.0 on the CVSS scale and has released updated versions of the affected software. ASF has recommended that organizations using the technology upgrade to the fixed version to mitigate risk.

CVE-223-466604 is an insecure deserialization bug — a kind of vulnerability that happens when an application deserializes untrusted or manipulated data without first verifying if the data is valid. Adversaries often exploit such flaws by sending a malicious crafted object that, when deserialized, executes malicious or unauthorized code, leading to breaches and arbitrary code execution. Insecure deserialization bugs are common and have been a regular feature on OWASP's list of top 10 Web application vulnerability types for years.