Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution.
“Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.”
It’s worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions –
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Since the bug’s disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, with Rapid7 noting that the behavior it observed in the two victim networks is “similar to what we would expect from exploitation of CVE-2023-46604.”
\
The Shadowserver Foundation said it found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are located in China, the U.S., Germany, South Korea, and India.
Source: https://thehackernews.com/