HelloKitty Ransomware Exploiting Apache ActiveMQ Flaw
The currently disclosed Apache ActiveMQ remote code execution (RCE) flaw, CVE-2023-46604 is being exploited to spread ransomware binaries heading in the correct route programs and demand a ransom from the victim organizations.
Per the proof and the ransom display conceal, Rapid7 experts possess linked the project to the HelloKitty ransomware family, whose supply code used to be made public on a forum in early October.
CVE-2023-46604 is a critical severity RCE with a CVSS v3 earn of 10.0, exploiting the serialized class forms in the OpenWireprotocol that enables attackers to complete arbitrary shell instructions.
Webinar on Cyber Resilience for Financial Sector
Be sure your Cyber Resiliance with basically the most modern wave of cyber-attacks focusing on the financial products and companies sector. Practically 60% respondents now not assured to fetch better completely from a cyber attack.
“The vulnerability may perchance perchance enable a remote attacker with network entry to a dealer to flee arbitrary shell instructions by manipulating serialized class forms in the OpenWire protocol to motive the dealer to instantiate any class on the classpath,” ShadowServer studies.
The compromised environments’ indications had been most modern in every of the impacted customer environments, which had been utilizing out of date Apache ActiveMQ versions.
Affected Variations
- Apache ActiveMQ 5.18.0 sooner than 5.18.3
- Apache ActiveMQ 5.17.0 sooner than 5.17.6
- Apache ActiveMQ 5.16.0 sooner than 5.16.7
- Apache ActiveMQ sooner than 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 sooner than 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 sooner than 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 sooner than 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 sooner than 5.15.16
On October 25, 2023, Apache announced the difficulty and up up to now ActiveMQ. Foremost parts on vulnerabilities and proof-of-concept exploit code are every made publicly on hand.
HelloKitty Ransomware Exploiting Apache ActiveMQ Flaw
In 2020, the ransomware program HelloKitty appeared and has since been venerable in assorted excessive-profile attacks.
On this case, the attacker attempts to use the House windows Installer (msiexec) to load remote binaries with the names M2.png and M4.png after worthwhile exploitation.
The 32-bit.NET executable named dllloader, contained in every MSI recordsdata, loads a Base64-encoded payload known as EncDLL. EncDLL acts equally to ransomware, browsing and ending a particular set of processes sooner than beginning the encryption project and appending the encrypted recordsdata with the “.locked” extension.
Repair Launched
The flaws had been addressed in 5.15.16, 5.16.7, 5.17.6, or 5.18.3 versions.
Mitigation
As soon as likely, organizations must reinforce to an addressed version of ActiveMQ and stare their programs for signs of vulnerability.
Source credit : cybersecuritynews.com