Greater than 3,000 Web-accessible Apache ActiveMQ Servers are uncovered to a important distant code execution vulnerability that an attacker has begun actively concentrating on to drop ransomware.
The Apache Software program Basis (ASF) disclosed the vulnerability, tracked as CVE-2023-46604, on Oct. 27. The bug permits a distant attacker with entry to an ActiveMQ message dealer to execute arbitrary instructions on affected techniques. Proof-of-concept exploit code and full particulars of the vulnerability are publicly obtainable, which means that menace actors have each the means and the data to launch assaults in opposition to the vulnerability.
Exploit Exercise
Researchers at Rapid7 reported observing exploit exercise concentrating on the flaw at two buyer places, beginning the identical day that ASF disclosed the menace. “In each situations, the adversary tried to deploy ransomware binaries on course techniques in an effort to ransom the sufferer organizations,” researchers from Rapid7’s managed detection and response group stated a in weblog publish. They described each focused organizations as working outdated variations of Apache ActiveMQ.
The researchers attributed the malicious exercise to the HelloKitty ransomware household, primarily based on the ransom notice and different assault attributes. HelloKitty ransomware has been percolating within the wild since at the very least 2020. Its operators have tended to favor double-extortion assaults by which they haven’t simply encrypted the information but additionally stolen it as extra leverage for extracting a ransom from victims.
The HelloKitty ransomware assaults leveraging the ActiveMQ flaw appeared considerably rudimentary. In one of many assaults, the menace actor made greater than a half dozen makes an attempt to encrypt the information, prompting the researchers to label to menace actor as “clumsy” of their report.
“Exploit code for this vulnerability has been publicly obtainable since final week, and our researchers have confirmed exploitability,” says Caitlin Condon, head of menace analysis at Rapid7. “The menace exercise Rapid7 noticed appeared like automated exploitation and wasn’t significantly subtle, so we might advise that organizations patch rapidly to guard in opposition to potential future exploitation.”
Over 3,000 Methods Susceptible to Assault
Some 3,329 Web-connected ActiveMQ techniques are weak to assault through CVE-2023-46604, in response to information the ShadowServer group launched on Oct. 30.
ActiveMQ is a comparatively standard open supply message dealer that facilitates messaging between totally different functions, providers, and techniques. The ASF describes the know-how because the “hottest open supply, multi-protocol, Java-based message dealer.” Information analytics agency Enlyft has estimated some 13,120 corporations — principally small and midsize — use ActiveMQ.
CVE-2023-46604 impacts a number of variations of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Susceptible variations embody Apache ActiveMQ variations earlier than 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module earlier than 5.18.3 and earlier than 5.17.6 The ASF assigned the vulnerability a most doable severity rating of 10.0 on the CVSS scale and has launched up to date variations of the affected software program. ASF has really useful that organizations utilizing the know-how improve to the fastened model to mitigate threat.
CVE-223-466604 is an insecure deserialization bug — a type of vulnerability that occurs when an software deserializes untrusted or manipulated information with out first verifying if the information is legitimate. Adversaries usually exploit such flaws by sending a malicious crafted object that, when deserialized, executes malicious or unauthorized code, resulting in breaches and arbitrary code execution. Insecure deserialization bugs are frequent and have been an everyday function on OWASP’s checklist of prime 10 Net software vulnerability varieties for years.
