With a very large deployment base, the Apache ActiveMQ and a ransomware group, Hello Kitty targeting it, CVE-2023-46604, have raised the alert, and both applications security experts and vulnerability management team should be aware of this vulnerability as is nested in dependencies and native systems. With a recent increase of exploitation since Exploit was published, CISA KEV and IBM joint advisory for nation-state-sponsored ransomware group Hello Kitty using this vulnerability, the alert should raise
With the recent exploitation of Atlassian, Cisco XE, Curl, Http/2, and many others, the end of the year feels like an endless sprint, except the hurdles are Zero-Day exploits, and the runners are cybersecurity professionals.
Data Visualization of and exploitation in various datasets and in the wild
To discover this and other vulnerabilities exploited in the wild and the data behind it explore
CVE-2023-46604 has raised the alert on application security community and vulnerability management. The recent publication of advisories from vulnerability management and application security teams from NHS digital and active exploitation has raised the alert.
The vulnerability affecting Apache ActiveMQ, identified as CVE-2023-46604, on October 27, 2023. This vulnerability has not only highlighted the critical need for robust vulnerability management but has also exposed the relentless ingenuity of cyber adversaries. This blog post aims to dissect the CVE-2023-46604 vulnerability, its exploitation, and the imperative measures organizations must adopt to shield their applications and data from such cyber onslaughts.
The Discovery of CVE-2023-46604:
On a seemingly ordinary Friday, the cybersecurity world was put on high alert as Rapid7 reported suspected exploitation of CVE-2023-46604. This remote code execution vulnerability, resulting from insecure deserialization within Apache ActiveMQ, could allow attackers to run arbitrary shell commands, leading to full system compromise.
The Mechanics of CVE-2023-46604:
CVE-2023-46604 is not your run-of-the-mill vulnerability; it’s a convoluted one with its roots in the insecure deserialization of the OpenWire protocol. Attackers cleverly manipulate serialized class types, causing the broker to instantiate any class on the classpath, leading to the execution of malicious commands.
During a successful exploitation of the vulnerability, Java.exe will contain the specific Apache application being targeted — in this case, D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64The adversary attempt a Post-exploitation, rapid 7 observed, load remote binaries named M2.png and M4.png using MSIExec.
Understanding CVE-2023-46604 :
If you are running Apache ActiveMQ, patches are available to address CVE-2023-46604 for the following versions: 5.15.16, 5.16.7, 5.17.6, and 5.18.3. To determine the version of ActiveMQ you are running, a command line tool is available. The version will be listed by running the command activemq –version.
Patches can be found here: https://activemq.apache.org/components/classic/download/
If you cannot patch these systems, you should immediately block the systems from being accessible from the Internet, which will significantly limit the attack surface.
Apache Active MQ Affected Versions by CVE-2023-46604 :
Apache disclosed the vulnerability and released new versions of ActiveMQ on October 25, 2023. Proof-of-concept exploit code and vulnerability details are both publicly available.
Affected Products
According to Apache’s advisory, CVE-2023-46604 affects the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Apache Active MQ Remediation:
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
The HelloKitty Ransomware Connection:
Exploit origin and ransomware are linked to HelloKitty ransomware group. The HelloKitty group is perhaps most infamous for its 2021 attack on CD Projekt Red. HelloKitty reportedly sold the company’s data – which was claimed to include source code for its flagship games – to an unnamed bidder following an auction, the buyout sum set at $7 million.
The HelloKitty ransomware family, notorious for its disruptive antics, was linked to this vulnerability. With its source code leaked just a month prior, the ransomware was observed encrypting files and demanding ransom through a note that pointed to a specific email address for communication.
Decoding the CVE-2023-46604 Exploit Code and active exploitation:
The official exploit, published on 27, with the poc published shortly after led to an increased exploitation activity of CVE-2023-46604
- EPSS: Low 0.00053 (new)
- Base 8.6 (rescored)
- CTI 1.72 (low)
Shadowserver has seen an increase in exploitation since the publication of explotis; the increase of exploitation is also confirmed from Shadowserver:
With a large distribution of systems using ActiveMQ embedded version of Apache, the ransomware group could cause automated ransomware deployment at scale, with the majority in China.
| Number of active Exploited Apache Systems | |
|---|---|
 Vulnerable ActiveMQ servers as of October 30 (ShadowServer) |  Vulnerable ActiveMQ servers as of October 30 (Shodan) |
Indicators of Compromise for Apache ActiveMQ CVE-2023-46604
Rapid7’s analysis provided a glimpse into the attacker’s modus operandi, including the use of Java.exe and the deployment of remote binaries disguised as innocuous .png files. The indicators of compromise (IoCs) were clear, from specific IP addresses to file hashes, painting a picture of the attack’s digital footprint.
The investigation detected a number of attacking IP addresses for CVE-2023-46604 and available public exploit code. This is an example of an exploitation result nonetheless, please note that the log can be modified after a successful exploitation
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616
In the above example, the attacker’s (i.e., the researcher’s) IP was 192.168.86.35, and the target TCP port was 61616. More or less information may be available depending on the logging settings, which can be modified.
Other IOCs:
- http://172.245.16[.]125/m2.png
- http://172.245.16[.]125/m4.png
Conclusion
CVE-2023-46604 is a stark reminder of the dynamic and perilous nature of cybersecurity and the compromise of the digital supply chain.
Organisations must adopt a proactive stance, staying abreast of the latest threats and fortifying their defences with both technology and awareness. By understanding the intricacies of such vulnerabilities, who owns which assets, and which system is more exposed to those attacks, organizations can react fast and raise the alert when needed.
How Phoenix Security Can Help
Phoenix Security is a comprehensive security solutions like ASPM and vulnerability management that can cover vulnerabilities from code to the cloud are essential to accelerate vulnerability management and scaling. Phoenix Security is here to automatically ingest vulnerabilities from code to cloud and prioritize vulnerabilities at scale. Phoenix also communicates the timeframe for resolution for the government organizations that must comply with CISA and related regulations.
Phoenix Security serves as a beacon for security professionals aiming to pinpoint the CISA kev and ransomware-related exploits within their systems. It meticulously scans your product, identifying instances where the CISA kev vulnerability may be affected. By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
Get a Free Assessment today
Previous Issues of Vulnerability Weekly
- Critical vulnerability F5
- How to update curl and libcurl without panic fixing
- Critical Vulnerabilities in Atlassian Confluence: Zero-Day
- Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
- Understanding the libcue Vulnerability CVE-2023
- Understanding and fixing Curl and libcurl
- CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) details on vulnerability timeline and compromise
- MOVEit Transfer breach, Zellis compromise CVE-2023-34362
Other Useful resources
Data Visualization of vulnerabilities in the wild
CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
Exploit in the wild: https://phoenix.security/what-is-exploitability/
OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
