The HelloKitty ransomware operation is exploiting a just lately disclosed Apache ActiveMQ distant code execution (RCE) flaw to breach networks and encrypt units.
The flaw, tracked CVE-2023-46604, is a vital severity (CVSS v3 rating: 10.0) RCE permitting attackers to execute arbitrary shell instructions by exploiting the serialized class varieties within the OpenWire protocol.
The safety downside was addressed in a safety replace on October 25, 2023. Nevertheless, menace monitoring service ShadowServer reported that, as of October 30, there have been nonetheless 3,329 internet-exposed servers utilizing a model weak to exploitation.
Yesterday, Rapid7 reported that they’d seen at the least two distinct instances of menace actors exploiting CVE-2023-46604 in buyer environments to deploy HelloKitty ransomware binaries and extort the focused organizations.
HelloKitty is a ransomware operation that launched in November 2020 and just lately had its supply code leaked on a Russian-speaking cybercrime boards making it obtainable to anybody.
The assaults noticed by Rapid7 began on October 27, two days after Apache launched the safety bulletin and fixes, so this seems to be a case of n-day exploitation.
Rapid7 analyzed two MSI information disguised as PNG pictures, fetched from a suspicious area, and located that they comprise a .NET executable that masses a base64-encoded .NET DLL named EncDLL.
EncDLL is answerable for looking for and stopping particular processes, encrypting information with the RSACryptoServiceProvider perform, and appending a “.locked” extension to them.
Some artifacts left behind by these assaults embrace:
- Java.exe operating with an Apache software because the dad or mum course of, which is atypical.
- Loading of distant binaries named M2.png and M4.png by way of MSIExec, indicative of malicious exercise.
- Repeated, failed makes an attempt to encrypt information, signaling clumsy exploitation efforts.
- Log entries in activemq.log displaying warnings about transport connections failing on account of an aborted connection, which may counsel exploitation.
- Presence of information or community communications related to the HelloKitty ransomware, identifiable by particular domains and file hashes.
The Rapid7 report comprises details about the newest HelloKitty indicators of compromise, however extra complete information on that entrance will be present in this FBI report targeted on the ransomware household.
The most recent ShadowServer stats present that there are nonetheless hundreds of weak ActiveMQ cases on the market, so directors are urged to use the obtainable safety updates as quickly as potential.
Susceptible variations vary between 5.15 and 5.18, together with Legacy OpenWire Module variations, are fastened in variations are 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
