Ransomware gang HelloKitty was quick to exploit a recently discovered critical remote code execution (RCE) vulnerability in Apache’s ActiveMQ message broker.
Apache disclosed the bug and released patched versions of ActiveMQ on Oct. 25. Rapid7 said its Managed Detection and Response (MDR) service began identifying suspected exploitation of the vulnerability two days later.
ActiveMQ is a multi-protocol, open-source Java-based message broker that functions as message-orientated middleware to facilitate communications between clients and servers.
The RCE flaw, tracked as CVE-2023-46604, allows remote attackers with network access to a broker to execute arbitrary shell commands. The bug has the maximum possible CVSS v3 rating of 10.
Evidence points to HelloKitty
In a Nov. 1 blog post, Rapid7 researchers said the firm’s MDR service identified suspected exploitation of the vulnerability in two different customer environments, both of which were running outdated versions of ActiveMQ.
“In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” the researchers wrote.
The firm’s vulnerability research team had tested the proof-of-concept (PoC) exploit code posted on GitHub and had “confirmed that the behavior MDR observed in customer environments is similar to what we would expect from exploitation of CVE-2023-46604,” the researchers said.
The PoC demonstrated how threat actors could leverage the vulnerability to execute remote code by sending a packet with specific server details and a Spring XML URL, SOCRadar said in a post.
Rapid7’s analysis of the files deployed in the attacks revealed a ransom note that advised victims to communicate with the threat group using the email address “service@hellokittycat[.]online.”
“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family,” they said.
The researchers described the threat group’s attempts to deploy the ransomware as “somewhat clumsy.”
“In one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets,” they said.
Feds add RCE bug to exploit list
Based on the evidence that the ActiveMQ bug was being actively exploited, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Nov. 2 added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The KEV listing means all Federal Civilian Executive Branch (FCEB) government agencies are required to take steps to remediate the vulnerability by Nov. 23.
“With both technical analysis and a Proof-of-Concept exploit readily accessible, organizations are strongly advised to promptly apply the provided patches to prevent the potential exploitation of CVE-2023-46604,” SOCRadar’s post said. “A successful attack using this vulnerability could compromise your data and lead to disruptions.”
Rapid7 said as well as updating to a fixed version of ActiveMQ as soon as possible, organizations should also look for indicators of compromise (IoCs) in their environments. Known IoCs are listed in Rapid7’s post.
The complete source code of the initial version of HelloKitty’s ransomware was leaked last month. Leaked malware is often acquired by other threat groups to run their own campaigns, as was the case with the RA Group, who were observed using leaked Babuk source code to mount their attacks earlier this year.