November 15, 2023 at 09:45AM
A critical security flaw in Apache ActiveMQ, tracked as CVE-2023-46604, allows threat actors to execute arbitrary code in memory. The flaw has been exploited by ransomware groups, deploying ransomware like HelloKitty and a strain similar to TellYouThePass, as well as a remote access trojan called SparkRAT. The attacks rely on a public proof-of-concept exploit and exploit the ClassPathXmlApplicationContext class to achieve unauthenticated remote code execution. Cybersecurity firm VulnCheck recommends patching ActiveMQ servers and removing them from the internet.
Meeting Takeaways:
– Cybersecurity researchers have discovered a critical security flaw in Apache ActiveMQ that allows arbitrary code execution in memory.
– The vulnerability, tracked as CVE-2023-46604, is a remote code execution bug that enables threat actors to run arbitrary shell commands.
– Apache has released patches for the vulnerability in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
– Ransomware outfits are actively exploiting the vulnerability to deploy ransomware like HelloKitty and a strain similar to TellYouThePass, as well as a remote access trojan called SparkRAT.
– The attacks rely on a public proof-of-concept exploit disclosed on October 25, 2023, utilizing ClassPathXmlApplicationContext to load a malicious XML bean configuration file over HTTP for unauthenticated remote code execution.
– VulnCheck has developed an improved exploit using the FileSystemXmlApplicationContext class and a specially crafted SpEL expression to achieve the same results and obtain a reverse shell.
– Attackers using the exploit could avoid dropping tools to disk, but they need to take additional steps to clean up the forensic trail due to an exception message in the activemq.log file.
– It is crucial to patch ActiveMQ servers and ideally remove them from the internet to mitigate the risk of stealthy attacks using CVE-2023-46604.