Researchers are observing the activities of threat actors exploiting a critical remote code execution vulnerability in Apache ActiveMQ servers and deploying HelloKitty ransomware.
The Apache Software Foundation disclosed the vulnerability, tracked as CVE-2023-46604 late last month. The bug allows a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems.
PoC exploit code and full details of the vulnerability are publicly available, meaning that threat actors have both the means and the information to launch attacks against the vulnerability.
Researchers observed the exploit activity targeting the flaw at two customer locations, starting the same day that ASF disclosed the threat. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Both targeted organizations are running outdated versions of Apache ActiveMQ.
The researchers attributed the malicious activity to the HelloKitty ransomware family, based on the ransom note and other attack attributes.
The HelloKitty ransomware attacks leveraging the ActiveMQ flaw appeared somewhat rudimentary. In one of the attacks, the threat actor made more than a half dozen attempts to encrypt the data.
Nearly 3,329 Internet-connected ActiveMQ systems are vulnerable to attack via CVE-2023-46604, according to data the ShadowServer organization released on Oct. 30.
ActiveMQ is a relatively popular open source message broker that facilitates messaging between different applications, services, and systems. The ASF describes the technology as the “most popular open source, multi-protocol, Java-based message broker.” Data analytics firm Enlyft has estimated some 13,120 companies — mostly small and midsize — use ActiveMQ.
CVE-2023-46604 is an insecure deserialization bug — a kind of vulnerability that happens when an application deserializes untrusted or manipulated data without first verifying if the data is valid and affects multiple versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Vulnerable versions include Apache ActiveMQ versions before 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module before 5.18.3 and before 5.17.6.
ASF has recommended that organizations using the technology upgrade to the fixed version to mitigate risk.