Project Hyphae

Apache ActiveMQ ZeroDay Vulnerability exploited by multiple ransomware groups.

Share This Post

On October 27, 2023, Apache announced CVE-2023-46604, a critical Remote Code Execution vulnerability that could allow an attacker to run arbitrary code against a vulnerable server that is exposed to the internet. They also published a patch for the vulnerability on the 27th, but per a report from ShadowServer, there are still 3329 of the roughly 9200 Apache ActiveMQ servers exposed publicly that are still unpatched.

Both Arctic Wolf and Huntress Labs have reported seeing the vulnerability exploited as far back as October 10th in attacks to deploy SparkRat Ransomware. Since then Huntress Labs and Rapid 7 have reported seeing HelloKitty and TellYouThePass (targets Linux) ransomware being deployed using this vulnerability.

The issue affects the following Apache Active MQ and Legacy OpenWire Module versions:

  • 5.18.x versions before 5.18.3
  • 5.17.x versions before 5.17.6
  • 5.16.x versions before 5.16.7
  • All versions before 5.15.16

The vulnerability was patched with the release of versions, and 5.18.3, which are the recommended upgrade targets.

Don’t forget to threat hunt these devices after patching as they are likely already compromised.

Info from Apache:

ShadowServer Scan findings:

Arctic Wolf Blog post:

Rapid 7 Blog post:

Huntress Labs Blog post:

AlienVault current list of IOCs:

Reach out to our incident response team for help

More To Explore

Information Security News 6-10-2024

Frontier Warns 750,000 of a Data Breach After Extortion Threats Article Link: ‘Fog’ Ransomware Rolls in to Target Education, Recreation Sectors Article Link:

Information Security News 6-3-2024

Snowflake Data Breach Impacts Ticketmaster, Other Organizations Article Link: 2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx Article Link: LastPass

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.