Apache ActiveMQ ZeroDay Vulnerability exploited by multiple ransomware groups.

Share This Post

On October 27, 2023, Apache announced CVE-2023-46604, a critical Remote Code Execution vulnerability that could allow an attacker to run arbitrary code against a vulnerable server that is exposed to the internet. They also published a patch for the vulnerability on the 27th, but per a report from ShadowServer, there are still 3329 of the roughly 9200 Apache ActiveMQ servers exposed publicly that are still unpatched.

Both Arctic Wolf and Huntress Labs have reported seeing the vulnerability exploited as far back as October 10th in attacks to deploy SparkRat Ransomware. Since then Huntress Labs and Rapid 7 have reported seeing HelloKitty and TellYouThePass (targets Linux) ransomware being deployed using this vulnerability.

The issue affects the following Apache Active MQ and Legacy OpenWire Module versions:

  • 5.18.x versions before 5.18.3
  • 5.17.x versions before 5.17.6
  • 5.16.x versions before 5.16.7
  • All versions before 5.15.16

The vulnerability was patched with the release of versions 5.15.165.16.75.17.6, and 5.18.3, which are the recommended upgrade targets.

Don’t forget to threat hunt these devices after patching as they are likely already compromised.

Info from Apache: https://activemq.apache.org/news/cve-2023-46604

ShadowServer Scan findings: https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/

Arctic Wolf Blog post: https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/

Rapid 7 Blog post: https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

Huntress Labs Blog post: https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604

AlienVault current list of IOCs: https://otx.alienvault.com/pulse/65451192eb12710e0f919d42



Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.