HomeCyber BalkansHello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Hello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Published on

spot_img


Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution.

“In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” cybersecurity firm Rapid7 disclosed in a report published Wednesday.

“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.”

The intrusions are said to involve the exploitation of CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands.

It’s worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

The vulnerability affects the following versions –

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Since the bug’s disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, with Rapid7 noting that the behavior it observed in the two victim networks is “similar to what we would expect from exploitation of CVE-2023-46604.”

Successful exploitation is followed by the adversary attempting to load remote binaries named M2.png and M4.png using the Windows Installer (msiexec).

Both the MSI files contain a 32-bit .NET executable named dllloader that, in turn, loads a Base64-encoded payload called EncDLL that functions akin to ransomware, searching and terminating a specific set of processes before commencing the encryption process and appending the encrypted files with the “.locked” extension.

The Shadowserver Foundation said it found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are located in China, the U.S., Germany, South Korea, and India.

In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.

Update#

Cybersecurity company Huntress has also confirmed the HelloKitty ransomware infections, stating “exploitation for this attack is trivial.”

Reference: https://thehackernews.com/2023/11/hellokitty-ransomware-group-exploiting.html?utm_source=dlvr.it&utm_medium=linkedin

AH



Source link

Latest articles

The Battle Behind the Screens

 As the world watches the escalating military conflict between Israel and Iran, another...

Can we ever fully secure autonomous industrial systems?

 In the rapidly evolving world of industrial IoT (IIoT), the integration of AI-driven...

The Hidden AI Threat to Your Software Supply Chain

AI-powered coding assistants like GitHub’s Copilot, Cursor AI and ChatGPT have swiftly transitioned...

Why Business Impact Should Lead the Security Conversation

 Security teams face growing demands with more tools, more data, and higher expectations...

More like this

The Battle Behind the Screens

 As the world watches the escalating military conflict between Israel and Iran, another...

Can we ever fully secure autonomous industrial systems?

 In the rapidly evolving world of industrial IoT (IIoT), the integration of AI-driven...

The Hidden AI Threat to Your Software Supply Chain

AI-powered coding assistants like GitHub’s Copilot, Cursor AI and ChatGPT have swiftly transitioned...