Critical Apache ActiveMQ flaw under attack by ‘clumsy’ ransomware crims

Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims

November 2, 2023 at 01:20PM

Ransomware criminals are exploiting a severe vulnerability in Apache ActiveMQ, allowing for remote code execution. The developers released fixes for the affected versions, but many services remain unpatched, with China having the highest number of vulnerable services. The attacks are attributed to the HelloKitty ransomware family, known for targeting smaller businesses.

Key Takeaways from the Meeting Notes:

1. Security researchers have confirmed that ransomware criminals are exploiting a critical vulnerability in Apache ActiveMQ.

2. The vulnerability (CVE-2023-46604) allows for remote code execution (RCE), enabling attackers to run arbitrary shell commands.

3. The developers have released fixes for the affected versions, and users are urged to upgrade as soon as possible.

4. Rapid7, a security company, has reported two instances of active exploitation of the vulnerability, resulting in ransomware attacks on their customers.

5. The HelloKitty ransomware family is suspected to be behind the attacks, potentially using leaked source code.

6. The attacks were deemed “clumsy,” indicating a potentially low-skilled individual or group.

7. Shadowserver, an internet security non-profit, discovered that almost half of all reachable Apache ActiveMQ services are vulnerable to the exploit.

8. Only a small percentage of the services have been patched, leaving thousands still open to attacks.

9. China has the highest number of vulnerable services, followed by the US and Germany.

10. The HelloKitty group gained notoriety for its 2021 attack on CD Projekt Red and the alleged sale of their data.

11. HelloKitty primarily targets smaller businesses and regularly changes its tactics and tools.

12. The group was originally believed to target Windows machines, but a Linux variant was discovered in 2021.

13. The group’s origins and affiliations remain unclear, although previous information suggested they could be operating out of Ukraine.

Full Article