Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims

Over a week later and barely any patches for the 10/10 vulnerability have been applied

Connor Jones Thu 2 Nov 2023  //  17:15 UTC

Security researchers have confirmed that ransomware criminals are capitalizing on a maximum-severity vulnerability in Apache ActiveMQ.

Announced on October 25 and tracked as CVE-2023-46604, the insecure deserialization vulnerability allows for remote code execution (RCE) on affected versions.

"Apache ActiveMQ is vulnerable to remote code execution," Apache said in its advisory. "The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath."

The developers released fixes for the affected versions on the same day, with users all urged to upgrade as soon as possible.

Affected versions include:

Security shop Rapid7 has now published its own investigation into active exploitation of the issue on two of its customers' environments, revealing that both had been targeted with ransomware.

"Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October," it said.

"Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ."

Attribution for the attack hasn't been firmly pinned on HelloKitty or one of its affiliates. There remains a possibility that a lone attacker could have used the source code of the group's 2020 variant that was leaked last month in the attacks.

The experts' assessment of the attempts to deploy ransomware was that they were "clumsy." Indicating a potentially low-skill individual being behind the attacks, Rapid7 said more than half a dozen attempts to encrypt files were made – all of which were unsuccessful.

Internet security non-profit Shadowserver started tracking vulnerable Apache ActiveMQ services on October 30 and found that almost half of all reachable services (3,329) were vulnerable to CVE-2023-46604.

The most recent available reading, taken November 1, shows that just 105 services have been patched, leaving considerably more than 3,000 still open to attacks.

The majority of vulnerable services are based in China, with 1,349 still unpatched. The next most vulnerable nation is the US with 530, then Germany with 154.

HelloKitty in brief

The HelloKitty group is perhaps most infamous for its 2021 attack on CD Projekt Red. HelloKitty reportedly sold the company's data – which was claimed to include source code for its flagship games – to an unnamed bidder following an auction, the buyout sum for which was set at $7 million.

According to Emsisoft researchers, the data was sold under the condition that it would not be leaked by the buyer, though they said the more likely scenario is that no one wanted to buy the data and HelloKitty instead falsely claimed it was sold to save face. Months later, the video game publisher became aware that its data was circulating online.

First spotted in 2020, the group is mainly known for targeting smaller businesses, according to SentinelOne, and changes its tooling and tactics regularly.

It was originally thought to target Windows machines only, but in 2021 a Linux variant was spotted in the wild, a discovery that led researchers to find earlier Linux versions dating back to around the group's formation.

A now-removed data breach disclosure at an Oregon healthcare company previously revealed that the Federal Bureau of Investigations believed the group to be operating out of Ukraine, but neither the FBI nor any security experts have officially attributed the group to individuals in the country. ®
Send us news
4 Comments

A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

Apparently no one thought to check if this D-Link router 'issue' was actually exploitable

Two years on, 1 in 4 apps still vulnerable to Log4Shell

Lack of awareness still blamed for patching apathy despite it being among most infamous bugs of all time

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

BlackCat claims it is behind Fidelity National Financial ransomware shakedown

One of US's largest underwriters forced to shut down a number of key systems

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members

British Library begins contacting customers as Rhysida leaks data dump

CRM databases were accessed and library users are advised to change passwords

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

Exploits bypass most secure boot solutions from the biggest chip vendors