Greater than 3,000 Web-accessible Apache ActiveMQ Servers are uncovered to a important distant code execution vulnerability that an attacker has begun actively focusing on to drop ransomware.
The Apache Software program Basis (ASF) disclosed the vulnerability, tracked as CVE-2023-46604, on Oct. 27. The bug permits a distant attacker with entry to an ActiveMQ message dealer to execute arbitrary instructions on affected techniques. Proof-of-concept exploit code and full particulars of the vulnerability are publicly accessible, that means that risk actors have each the means and the data to launch assaults in opposition to the vulnerability.
Researchers at Rapid7 reported observing exploit exercise focusing on the flaw at two buyer areas, beginning the identical day that ASF disclosed the risk. “In each cases, the adversary tried to deploy ransomware binaries on course techniques in an effort to ransom the sufferer organizations,” researchers from Rapid7’s managed detection and response crew stated a in weblog publish. They described each focused organizations as working outdated variations of Apache ActiveMQ.
The researchers attributed the malicious exercise to the HelloKitty ransomware household, based mostly on the ransom word and different assault attributes. HelloKitty ransomware has been percolating within the wild since not less than 2020. Its operators have tended to favor double-extortion assaults during which they haven’t simply encrypted the information but in addition stolen it as further leverage for extracting a ransom from victims.
The HelloKitty ransomware assaults leveraging the ActiveMQ flaw appeared considerably rudimentary. In one of many assaults, the risk actor made greater than a half dozen makes an attempt to encrypt the information, prompting the researchers to label to risk actor as “clumsy” of their report.
“Exploit code for this vulnerability has been publicly accessible since final week, and our researchers have confirmed exploitability,” says Caitlin Condon, head of risk analysis at Rapid7. “The risk exercise Rapid7 noticed seemed like automated exploitation and wasn’t significantly subtle, so we might advise that organizations patch shortly to guard in opposition to potential future exploitation.”
Over 3,000 Programs Weak to Assault
Some 3,329 Web-connected ActiveMQ techniques are weak to assault through CVE-2023-46604, based on knowledge the ShadowServer group launched on Oct. 30.
ActiveMQ is a comparatively standard open supply message dealer that facilitates messaging between totally different functions, providers, and techniques. The ASF describes the know-how because the “hottest open supply, multi-protocol, Java-based message dealer.” Information analytics agency Enlyft has estimated some 13,120 corporations — largely small and midsize — use ActiveMQ.
CVE-2023-46604 impacts a number of variations of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Weak variations embody Apache ActiveMQ variations earlier than 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module earlier than 5.18.3 and earlier than 5.17.6 The ASF assigned the vulnerability a most doable severity rating of 10.0 on the CVSS scale and has launched up to date variations of the affected software program. ASF has advisable that organizations utilizing the know-how improve to the mounted model to mitigate danger.
CVE-223-466604 is an insecure deserialization bug — a sort of vulnerability that occurs when an utility deserializes untrusted or manipulated knowledge with out first verifying if the information is legitimate. Adversaries typically exploit such flaws by sending a malicious crafted object that, when deserialized, executes malicious or unauthorized code, resulting in breaches and arbitrary code execution. Insecure deserialization bugs are frequent and have been an everyday characteristic on OWASP’s listing of prime 10 Internet utility vulnerability varieties for years.