Apache ActiveMQ Vulnerability is Being Actively Exploited
Ransomware operators are exploiting a critical remote code execution flaw in Apache ActiveMQ message broker. Apache released updates to address the flaw in late October. The exploitation was detected by researchers at Rapid7. The vulnerability affects several versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module.
Yes, patching is important, but also: services like this should be tucked away without so much as a public IP, if possible. The list of services mature organizations expose to the public internet are vanishingly few. If you have more than VPN, a website, and maybe some APIs available to the internet, it may be time to reexamine business processes.
CVE-2023-46604, CVSS score of 7.5, remote code execution flaw, allows attacker with network access “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class in the classpath.” In short, insecure object deserialization. Current activity to exploit the vulnerability includes attempts to deploy HelloKitty ransomware. Two steps here: 1) Update to a fixed version ActiveMQ or ActiveMQ Legacy, 2) check for IOCs, including the M1.png, M2.png MSI files.
Although MQs should be internal, there are plenty of readily available targets on the internet. Many appear in Aliyun (Alibaba Cloud), which may stem from a potential configuration issue with a standard MQ rollout. It should be noted that these Message Queuing Systems are quite often used with larger applications so that the attack surface would be attractive.
Read more in
Bleeping Computer: 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online
Apache: Security Advisories
Apache: ActiveMQ 5 Download