Rapid7 Managed Detection and Response (MDR) found potential exploitation of Apache ActiveMQ CVE-2023-46604 in two distinct customer scenarios on Friday, October 27.
Background:
In all cases, the adversary attempted to install ransomware binaries on target systems to hold the victim company ransom. They attributed the activity to the HelloKitty ransomware family, whose source code was posted on a forum in early October, based on the ransom note and accessible evidence.
CVE-2023-46604:
CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker to run arbitrary shell commands by causing the broker to instantiate any class on the classpath by manipulating serialized class types in the OpenWire protocol. This is one of the most complicated vulnerability descriptions encountered, but the underlying cause is insecure deserialization.
Apache ActiveMQ is an open-source message broker and message-oriented middleware (MOM) platform. It is written in Java and developed by the Apache Software Foundation. ActiveMQ gives multiple applications messaging and communication features, making it easier for them to share data and communicate asynchronously.
On October 25, 2023, Apache revealed the issue and provided upgraded versions of ActiveMQ. Both the proof-of-concept exploit code and the vulnerability details are public.
The system’s failure to properly check the generation of throwable classes within ExceptionResponseMarshaller is the key issue triggering this vulnerability. Attackers use this ExceptionResponse, which is intended for certain activities, to trigger a chain of events that allows them to run whatever code they want on the system.
Affected Products:
According to Apache’s advisory, CVE-2023-46604 affects the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Active Exploitation:
Forensic evidence suggests that Arctic Wolf Labs detected CVE-2023-46604 exploitation in the wild as early as October 10, 2023, much before the CVE was announced or any proof-of-concept exploitation code became accessible. Following the successful exploitation of CVE-2023-46604, 45.32.120[.]181 was seen distributing SparkRAT. Furthermore, two unique ransomware operations were discovered recently, both of which used this vulnerability to obtain early access. The IP address 172.245.16[.]125 was also seen sending additional payloads as part of the ransomware attacks.
Rapid7’s vulnerability research team has examined CVE-2023-46604 and made a public exploit code accessible. Activemq.log in their test setup had a single line entry for successful exploitation of CVE-2023-46604. The researcher’s (“attacker’s”) exploit is shown below, with their IP address 192.168.86.35 and the target TCP port 61616:
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616
The Rapid7 vulnerability research team has taken the published proof-of-concept and validated that the observed behavior in customer environments matches what we would expect from CVE-2023-46604 exploitation.
Mitigation:
Organizations should immediately upgrade to an updated version of ActiveMQ to mitigate the issue. To successfully resolve this issue, Apache ActiveMQ users are suggested to update to the newest version:
- 5.17.6
- 5.18.3
- 5.16.7
- 5.15.16
Additionally, admins should conduct an assessment of their environments to identify any potential indicators of compromise mentioned below.
Apache also has information on improving the security of ActiveMQ implementations here (https://activemq.apache.org/security).
IOCs:
http://172.245.16[.]125/m2.png
http://172.245.16[.]125/m4.png
45.32.120[.]181
172.245.16[.]125
4.216.93[.]211
38.6.160[.]44
23.94.248[.]134
23.225.116[.]3
193.187.172[.]73
mail4[.]amazuorn[.]com
hellokittycat[.]online
hellowinter[.]online
d065d44d0412aef867f66626b5c4a3d7d0a3bdb59c61712b0c71efbf9865a7a6
8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5
7af5c37cc308a222f910d6a7b0759837f37e3270e22ce242a8b59ed4d7ec7ceb
5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e
e19e1601b92f456dcbc21b7024237d60
43c8eea4bab853cda8a5ca8e9eb1a9d68ac38b32c8fee3583df33d2dfcef42ac
6cdc10000d9291291c7ce0c63438796614bd21ec7e327c7f48c4ddd16ccf036f