Attackers have begun exploiting a essential distant code execution vulnerability patched final week in Apache ActiveMQ to deploy ransomware in enterprise networks. Customers are urged to improve the software program as quickly as potential. “Starting Friday, October 27, Rapid7 Managed Detection and Response (MDR) recognized suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two completely different buyer environments,” researchers from safety agency Rapid7 stated in a report. “In each situations, the adversary tried to deploy ransomware binaries heading in the right direction programs in an effort to ransom the sufferer organizations.”
Based mostly on the ransom observe left behind and different particulars of the assault, Rapid7 believes the attackers deployed the HelloKitty ransomware program whose supply code was leaked on underground boards earlier this month.
A essential Java deserialization flaw
Apache ActiveMQ is a Java open-source message dealer that helps a number of transmission protocols for transferring messages and information between completely different functions and shoppers written in numerous programming languages. It’s a fashionable middleware utilized in growing enterprise software program options.
On October 25, builders of ActiveMQ launched safety updates to patch a essential vulnerability tracked as CVE-2023-46604 that may result in distant code execution. Vulnerability particulars and a proof-of-concept exploit have since been posted on-line by safety researchers. “The vulnerability might permit a distant attacker with community entry to a dealer to run arbitrary shell instructions by manipulating serialized class varieties within the OpenWire protocol to trigger the dealer to instantiate any class on the classpath,” the official advisory reads.
In line with Rapid7, the flaw stems from insecure deserialization. Serialization is the conversion of information right into a binary format for transmission over the wire and is a typical method utilized in Java functions. Deserialization is the reversal of that course of that occurs on the receiving finish and if the unique enter shouldn’t be correctly sanitized, it will probably result in safety points. Java deserialization is its personal class of vulnerabilities that has grown in reputation in recent times with many initiatives affected by such flaws.
The HelloKitty ransomware
HelloKitty is a ransomware program that first appeared in 2020 and has been issued in a number of high-profile assaults, together with one towards recreation studio CD Projekt Pink in February 2021 when attackers claimed to have stolen the supply code for a number of fashionable video games together with Cyberpunk 2077, Witcher 3, and Gwent.
