Mauri ransomware exploits a vulnerability in Apache ActiveMQ

ISGroup Cybersecurity

Threat actors associated with the Mauri ransomware are exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, to install CoinMiner and other malicious tools. This remote code execution flaw allows attackers to compromise unpatched ActiveMQ servers, gaining full control over the target system.

Following its public disclosure, the vulnerability has been actively exploited by several groups, including Andariel and the HelloKitty ransomware, with significant attack activity targeting Korean systems.

ProductApache ActiveMQ
Date2024-12-10 16:03:37
Information
  • Fix Available
  • Active Exploitation

Technical Summary

Understanding CVE-2023-46604

CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server, an open-source server for messaging and communication patterns. Attackers can perform malicious operations remotely by manipulating serialized class types in the OpenWire protocol.

Exploitation phases:

  • Malicious actors modify packets to include references to XML class configuration files hosted on external URLs.
  • The compromised server loads the attacker’s XML file, enabling actions such as:
  • Installation of malware (e.g., Frpc for use as a reverse proxy).
  • Creation of backdoor accounts (e.g., “adminCaloX1”) with elevated privileges, including RDP access.

Affected versions

Apache ActiveMQ:

  • 5.18.0 – 5.18.2
  • 5.17.0 – 5.17.5
  • 5.16.0 – 5.16.6
  • 5.15.15 or earlier

Apache ActiveMQ Legacy OpenWire Module:

  • 5.18.0 – 5.18.2
  • 5.17.0 – 5.17.5
  • 5.16.0 – 5.16.6
  • 5.8.0 – 5.15.15

Recommendations

System updates:

  • Update Apache ActiveMQ to the latest available version to eliminate the CVE-2023-46604 vulnerability.

System monitoring:

  • Regularly inspect logs for anomalies, particularly those related to OpenWire protocol operations and unusual administrative activities.

Access controls:

  • Restrict external access to ActiveMQ services, using VPNs or IP whitelists to reduce exposure.

Temporary mitigation

  • Disable support for the OpenWire protocol on vulnerable ActiveMQ servers if patching cannot be applied immediately.

[Callforaction-THREAT-Footer]