On October 27, 2023, Apache announced CVE-2023-46604, a critical Remote Code Execution vulnerability that could allow an attacker to run arbitrary code against a vulnerable server that is exposed to the internet. They also published a patch for the vulnerability on the 27th, but per a report from ShadowServer, there are still 3329 of the roughly 9200 Apache ActiveMQ servers exposed publicly that are still unpatched.
Both Arctic Wolf and Huntress Labs have reported seeing the vulnerability exploited as far back as October 10th in attacks to deploy SparkRat Ransomware. Since then Huntress Labs and Rapid 7 have reported seeing HelloKitty and TellYouThePass (targets Linux) ransomware being deployed using this vulnerability.
The issue affects the following Apache Active MQ and Legacy OpenWire Module versions:
- 5.18.x versions before 5.18.3
- 5.17.x versions before 5.17.6
- 5.16.x versions before 5.16.7
- All versions before 5.15.16
The vulnerability was patched with the release of versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3, which are the recommended upgrade targets.
Don’t forget to threat hunt these devices after patching as they are likely already compromised.
Info from Apache: https://activemq.apache.org/news/cve-2023-46604
ShadowServer Scan findings: https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/
Arctic Wolf Blog post: https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
Rapid 7 Blog post: https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
Huntress Labs Blog post: https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604
AlienVault current list of IOCs: https://otx.alienvault.com/pulse/65451192eb12710e0f919d42