Attackers have begun exploiting a critical remote code execution vulnerability patched last week in Apache ActiveMQ to deploy ransomware in enterprise networks. Users are urged to upgrade the software as soon as possible. “Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments,” researchers from security firm Rapid7 said in a report. “In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations.”
Based on the ransom note left behind and other details of the attack, Rapid7 believes the attackers deployed the HelloKitty ransomware program whose source code was leaked on underground forums earlier this month.
A critical Java deserialization flaw
Apache ActiveMQ is a Java open-source message broker that supports several transmission protocols for transferring messages and data between different applications and clients written in different programming languages. It is a popular middleware used in developing enterprise software solutions.
On October 25, developers of ActiveMQ released security updates to patch a critical vulnerability tracked as CVE-2023-46604 that can lead to remote code execution. Vulnerability details and a proof-of-concept exploit have since been posted online by security researchers. “The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath,” the official advisory reads.
According to Rapid7, the flaw stems from insecure deserialization. Serialization is the conversion of data into a binary format for transmission over the wire and is a common technique used in Java applications. Deserialization is the reversal of that process that happens at the receiving end and if the original input is not properly sanitized, it can lead to security issues. Java deserialization is its own category of vulnerabilities that has grown in popularity in recent years with many projects affected by such flaws.
The HelloKitty ransomware
HelloKitty is a ransomware program that first appeared in 2020 and has been issued in several high-profile attacks, including one against game studio CD Projekt Red in February 2021 when attackers claimed to have stolen the source code for several popular games including Cyberpunk 2077, Witcher 3, and Gwent.
In October 2021, the FBI issued an advisory and indicators of compromise for attacks using the HelloKitty ransomware, which is also known as FiveHands. The agency notes that the gang behind it uses double extortion tactics that include launching distributed denial-of-service (DDoS) attacks against websites of victims that don’t pay in time. The attackers also deploy penetration testing tools such as Cobalt Strike, Mandiant’s Commando, or PowerShell Empire on compromised networks to move laterally.
Earlier this month an archive containing what appears to be the full source code of the HelloKitty ransomware program was posted on a cybercrime forum. The user who published it might be the original creator, who noted that the gang is working on a new and better ransomware product, and therefore HelloKitty is considered outdated.
It’s hard to tell if the attackers now exploiting CVE-2023-46604 are the original gang or someone who adopted the program after it was leaked. The Rapid7 researchers noted that the attackers appeared to be clumsy, failing several times to encrypt assets in one of the attacks, which could suggest they are still getting used to the program.
Following successful exploitation of the flaw, the attackers attempted to execute two binary files called M2.png and M4.png using MSIExec. In both cases the parent process was the ActiveMQ executable. Both files were 32-bit .NET executables that were internally named dllloader and which loaded a Base64-encoded payload. The payload was another 32-bit .NET DLL named EncDLL that implemented the ransomware functionality.
“Rapid7 observed the DLL will encrypt specific file extensions using the RSACryptoServiceProvider function, appending encrypted files with the extension .locked,” the researchers said. “We also observed another function that provided information about which directories to avoid encrypting, a static variable assigned with the ransomware note, and a function that attempted communication to an HTTP server.”
ActiveMQ users are advised to install the available updates for their respective versions and follow the Apache Foundation’s guidance on hardening the security of their ActiveMQ deployments. The Rapid7 report includes indicators of compromise that can be used to develop detections.