HelloKitty Group Exploits Vulnerability in Apache ActiveMQ with Ransomware

Cybersecurity researchers have issued a serious warning about the alleged exploitation of a recent critical vulnerability in the Apache ActiveMQ open source message brokering service, which could result in remote code execution.

“In both cases, the adversary attempted to deploy ransomware binaries on the targeted systems in an effort to blackmail the victim organisations,” cybersecurity firm Rapid7 revealed in a report published on Wednesday.

“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.”

The intrusions are said to involve the exploitation of CVE-2023–46604, a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to execute arbitrary shell commands.

It is important to note that the vulnerability has a CVSS score of 10.0, indicating the highest severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3 released late last month.

The successful exploit is followed by the adversary’s attempt to load remote binaries called M2.png and M4.png using the Windows Installer (msiexec).

Both MSI files contain a 32-bit .NET executable called dllloader which, in turn, loads a Base64-encoded payload called EncDLL that works similarly to the ransomware, searching for and terminating a specific set of processes before starting the encryption process and appending the “.locked” extension to the encrypted files.

The Shadowserver Foundation reported finding 3,326 Internet-accessible instances of ActiveMQ susceptible to CVE-2023–46604 as of 1 November 2023. Most of the vulnerable servers are located in China, the United States, Germany, South Korea and India.

Given the active exploitation of the vulnerability, users are advised to upgrade to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.

In the ever-evolving landscape of cybersecurity threats, a new chapter unfolds as researchers uncover a critical security flaw in the widely used Apache ActiveMQ open source message brokering service.

This vulnerability, if exploited, can lead to the ominous prospect of remote code execution. In this article, we will delve into the details of the HelloKitty ransomware group’s suspected exploitation of this flaw, shedding light on the potential risks and consequences.

Conclusion

In conclusion, the HelloKitty ransomware group’s exploitation of the Apache ActiveMQ vulnerability highlights the ongoing challenges in the realm of cybersecurity. The interconnectedness of threats and the adaptability of adversaries reinforce the importance of proactive measures.

Organizations must prioritize timely patching and cybersecurity best practices to mitigate the risks posed by such exploits.