Rapid7 Managed Detection and Response (MDR) found potential exploitation of Apache ActiveMQ CVE-2023-46604 in two distinct customer scenarios on Friday, October 27.
In all cases, the adversary attempted to install ransomware binaries on target systems to hold the victim company ransom. They attributed the activity to the HelloKitty ransomware family, whose source code was posted on a forum in early October, based on the ransom note and accessible evidence.
CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker to run arbitrary shell commands by causing the broker to instantiate any class on the classpath by manipulating serialized class types in the OpenWire protocol. This is one of the most complicated vulnerability descriptions encountered, but the underlying cause is insecure deserialization.
Apache ActiveMQ is an open-source message broker and message-oriented middleware (MOM) platform. It is written in Java and developed by the Apache Software Foundation. ActiveMQ gives multiple applications messaging and communication features, making it easier for them to share data and communicate asynchronously.
On October 25, 2023, Apache revealed the issue and provided upgraded versions of ActiveMQ. Both the proof-of-concept exploit code and the vulnerability details are public.
The system’s failure to properly check the generation of throwable classes within ExceptionResponseMarshaller is the key issue triggering this vulnerability. Attackers use this ExceptionResponse, which is intended for certain activities, to trigger a chain of events that allows them to run whatever code they want on the system.
According to Apache’s advisory, CVE-2023-46604 affects the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Forensic evidence suggests that Arctic Wolf Labs detected CVE-2023-46604 exploitation in the wild as early as October 10, 2023, much before the CVE was announced or any proof-of-concept exploitation code became accessible. Following the successful exploitation of CVE-2023-46604, 45.32.120[.]181 was seen distributing SparkRAT. Furthermore, two unique ransomware operations were discovered recently, both of which used this vulnerability to obtain early access. The IP address 172.245.16[.]125 was also seen sending additional payloads as part of the ransomware attacks.
Rapid7’s vulnerability research team has examined CVE-2023-46604 and made a public exploit code accessible. Activemq.log in their test setup had a single line entry for successful exploitation of CVE-2023-46604. The researcher’s (“attacker’s”) exploit is shown below, with their IP address 192.168.86.35 and the target TCP port 61616:
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616
The Rapid7 vulnerability research team has taken the published proof-of-concept and validated that the observed behavior in customer environments matches what we would expect from CVE-2023-46604 exploitation.
Organizations should immediately upgrade to an updated version of ActiveMQ to mitigate the issue. To successfully resolve this issue, Apache ActiveMQ users are suggested to update to the newest version:
Additionally, admins should conduct an assessment of their environments to identify any potential indicators of compromise mentioned below.
Apache also has information on improving the security of ActiveMQ implementations here (https://activemq.apache.org/security).