Project Hyphae

Apache ActiveMQ ZeroDay Vulnerability exploited by multiple ransomware groups.

Share This Post

On October 27, 2023, Apache announced CVE-2023-46604, a critical Remote Code Execution vulnerability that could allow an attacker to run arbitrary code against a vulnerable server that is exposed to the internet. They also published a patch for the vulnerability on the 27th, but per a report from ShadowServer, there are still 3329 of the roughly 9200 Apache ActiveMQ servers exposed publicly that are still unpatched.

Both Arctic Wolf and Huntress Labs have reported seeing the vulnerability exploited as far back as October 10th in attacks to deploy SparkRat Ransomware. Since then Huntress Labs and Rapid 7 have reported seeing HelloKitty and TellYouThePass (targets Linux) ransomware being deployed using this vulnerability.

The issue affects the following Apache Active MQ and Legacy OpenWire Module versions:

  • 5.18.x versions before 5.18.3
  • 5.17.x versions before 5.17.6
  • 5.16.x versions before 5.16.7
  • All versions before 5.15.16

The vulnerability was patched with the release of versions, and 5.18.3, which are the recommended upgrade targets.

Don’t forget to threat hunt these devices after patching as they are likely already compromised.

Info from Apache:

ShadowServer Scan findings:

Arctic Wolf Blog post:

Rapid 7 Blog post:

Huntress Labs Blog post:

AlienVault current list of IOCs:

Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: New York

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.