November 4, 2023 at 12:30PM
An Apache ActiveMQ vulnerability, CVE-2023-46604, was exploited maliciously prior to patch releases, according to Huntress. Thousands of vulnerable internet-exposed instances are still at risk. Evidence suggests the exploitation began as a zero-day on October 10, with attackers attempting to deliver HelloKitty ransomware. Users are urged to update ActiveMQ to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Indicators of compromise are available, and this is not the first Apache ActiveMQ vulnerability to be exploited.
From the meeting notes, the following key takeaways can be generated:
1. An Apache ActiveMQ vulnerability tracked as CVE-2023-46604 has been maliciously exploited since at least October 10, prior to the release of patches.
2. Thousands of internet-exposed instances of Apache ActiveMQ are still vulnerable to attacks exploiting CVE-2023-46604, which can result in remote code execution.
3. A patch for the vulnerability was committed to the source code on October 24 and made public on October 27.
4. Exploitation attempts using the CVE-2023-46604 vulnerability have been observed, with attackers attempting to deliver HelloKitty ransomware.
5. Huntress, a managed detection and response firm, found evidence of exploitation as a zero-day since at least October 10, but no further malicious activity was detected after investigation.
6. Detailed technical information and proof-of-concept code for CVE-2023-46604 are publicly available, making exploitation of the vulnerability easy. A Metasploit module is also available for automated exploitation.
7. Users are advised to update Apache ActiveMQ to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to patch the vulnerability.
8. Indicators of compromise (IoCs) for CVE-2023-46604 can be obtained from both Rapid7 and Huntress.
9. This is not the first Apache ActiveMQ vulnerability to be exploited, as a previous vulnerability (CVE-2016-3088) was also leveraged for malicious purposes.
10. The meeting notes mention other recently exploited vulnerabilities, including Libwebp and TeamCity vulnerabilities, highlighting the importance of addressing security issues promptly.
These takeaways provide an overview of the Apache ActiveMQ vulnerability, the exploitation attempts observed, the importance of patching, and related vulnerabilities.