Researchers at Rapid7 have identified a suspected exploitation of the Apache ActiveMQ server, by “Hello Kitty“.
On November 02, 2023, Rapid7’s Managed Detection and Response (MDR) team published an article, reporting the suspected exploitation of Apache ActiveMQ in the environments of two different customers.
The discovery reveals that threat actors have made attempts to deploy binary ransomware files on their targets, with the primary intention of ransoming their victims.
Rapid7 MDR stated that:
“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family.”
In October, observers noted that the source-code of the malware had been leaked on a public forum.
INFORMATION ON CVE-2023-46604 VULNERABILITY:
The vulnerability, which was assigned the record CVE-2023-46604, is a remote code execution vulnerability in the Apache ActiveMQ server. This vulnerability allows a remote threat actor on the network to execute arbitrary shell commands. Successful exploitation results in manipulating serialized class types in the OpenWire protocol.
Upon successful exploitation, the broker is forced to initiate any class on the classpath.
On the 25th of October 2023, Apache not only disclosed the vulnerability but also released new versions of ActiveMQ. The Proof-Of-Concept (PoC) and exploit code are now available to the public.
Rapid7 MDR team disclosed that:
“The behavior MDR observed in customer environments is similar to what we would expect from exploitation of CVE-2023-46604.”
LIST OF PRODUCTS AFFECTED BY CVE-2023-46604:
Apache discloses the following “Apache ActiveMQ” products were affected by CVE-2023-46604
- 5.18.0 before 5.18.3.
- 5.17.0 before 5.17.6.
- 5.16.0 before 5.16.7.
- before 5.15.16.
- Legacy OpenWire Module 5.18.0 before 5.18.3.
- Legacy OpenWire Module 5.17.0 before 5.17.6.
- Legacy OpenWire Module 5.16.0 before 5.16.7.
- Legacy OpenWire Module 5.8.0 before 5.15.16.
Rapid7 furthermore, reports that the “Hello Kitty” Ransomware consists of two files, M4.png and M2.png. These files are actually 32-bit .NET executables named dllloader, and contains A Base64-encoded payload which was discovered inside the .NET executables.
Rapid 7 further stated that:
“We also observed another function that provided information about which directories to avoid encrypting, a static variable assigned with the ransomware note, and a function that attempted communication to an HTTP server, 172.245.16[.]125.”
The threat actors included email channels for communication in the ransom note, through which they should be contacted. Rapid7 has released a list of IoCs and Mitigations. For more information, please visit Rapid7.
Please do let us know in the comment section what are your thoughts about this.