The Apache ActiveMQ server is currently facing a critical vulnerability identified as CVE-2023-46604. This vulnerability allows attackers to exploit the system by manipulating serialized class types within the OpenWire protocol. By doing so, they can load malicious class configurations from external sources, which essentially means that an attacker can introduce harmful code into the system.
Once this vulnerability is successfully exploited, it enables attackers to execute arbitrary code on the affected server. This level of access can lead to a full system compromise, allowing the attackers to potentially take control of the server, access sensitive data, or deploy further malicious activities.
Various threat actors, including Andariel, HelloKitty, and Cobalt Strike, have actively exploited this vulnerability, demonstrating its severity and the urgent need for prompt mitigation. The active exploitation by such well-known groups highlights the critical risk posed by this flaw and underscores the importance of immediate patching and robust security measures to protect systems against these attacks.
CoinMiner attackers exploited a vulnerability in Apache ActiveMQ servers to install Frpc malware. This vulnerability allowed threat actors to execute commands remotely, potentially leading to further compromises within the affected systems. The attack began with downloading and executing malicious XML configuration files from a remote server. These files were then loaded by the vulnerable ActiveMQ process, enabling the attackers to gain control and manipulate the server.
Once the malicious files were in place, the attackers could execute arbitrary commands, providing them with the ability to further compromise the system. This could include stealing sensitive data, installing additional malware, or disrupting the normal operations of the server. The use of Frpc malware facilitated the attackers in establishing a persistent foothold within the network, making it challenging to detect and eradicate their presence.
According to ASEC, the Mauri ransomware, originally an open-source tool intended for research purposes, has been weaponized by threat actors. Despite its initial design for educational use, its public availability has enabled its malicious use by cybercriminals.
The ransomware encrypts a variety of file extensions using AES-256 CTR encryption and demands a ransom to be paid in USDT. Although the current Command and Control (C&C) server is set to localhost, indicating potential testing phases, the modified configuration implies that active exploitation is underway.
The vulnerability affects multiple versions of Apache ActiveMQ, including:
- 5.18.0 to 5.18.2
- 5.17.0 to 5.17.5
- 5.16.0 to 5.16.6
- 5.15.15 and earlier
Additionally, the Legacy OpenWire Module versions:
- 5.18.0 to 5.18.2
- 5.17.0 to 5.17.5
- 5.16.0 to 5.16.6
- 5.8.0 to 5.15.15
These versions are particularly vulnerable to attacks, underscoring the critical need for prompt patching and updated security measures to protect against potential exploitation.
Organizations using Apache ActiveMQ should prioritize updating to the latest version and applying all available security patches. Additionally, implementing network-level protections and monitoring for unusual activity can help mitigate the risks associated with this vulnerability.
Indicators of Compromise
- 07894bc946bd742cec694562e730bac8
- 25b1c94cf09076eb8ce590ee2f7f108e
- 2c93a213f08a9f31af0c7fc4566a0e56
- 2e8a3baeaa0fc85ed787a3c7dfd462e7
- 3b56e1881d8708c48150978da14da91e
- http[:]//18[.]139[.]156[.]111[:]83/Google[.]zip
- http[:]//18[.]139[.]156[.]111[:]83/a[.]exe
- http[:]//18[.]139[.]156[.]111[:]83/brave[.]exe
- http[:]//18[.]139[.]156[.]111[:]83/c[.]ini
- 18[.]139[.]156[.]111
