Apache ActiveMQ logo

Apache ActiveMQ vulnerability used in ransomware attacks

On the 27 October, the Apache Software Foundation (ASF) announced a very serious vulnerability in Apache ActiveMQ that can be used to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency has now added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by November 11, 2023 in order to protect their devices against active threats.

The catalog is a list of vulnerabilities criminals are actively using, so everyone else should act swiftly to patch or mitigate the problem. In this case the criminals are, or at least include, the HelloKitty ransomware group, also known as FiveHands ransomware. The group was first seen in November 2020 and typically uses the double extortion method of both stealing and encrypting data.

The ASF describes the vulnerability as follows:

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Apache ActiveMQ® is “middleware”, a popular open source, multi-protocol, Java-based message broker. Message brokers like this are often found in enterprise systems where they are used to create reliable communication between different applications and system components. OpenWire is a protocol designed to work with message-oriented middleware. It is the native wire format of ActiveMQ.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE in Apache ActiveMQ is listed as:

CVE-2023-46604 (CVSS3 score 10 out of 10): because OpenWire commands are unmarshalled, by manipulating serialized class types in the OpenWire protocol an attacker could cause the broker to instantiate any class on the classpath. The classpath is a parameter in the Java Virtual Machine or the Java compiler that specifies the location of user-defined classes and packages. This caused a deserialization of untrusted data vulnerability. To fix the issue it was necessary to improve the Openwire marshaller validation test.

To successfully exploit this vulnerability, three things are required:

  • Network access
  • A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter)
  • A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

A security update to patch the vulnerability was available on October 25, 2023, but as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation. Users are recommended to upgrade Apache ActiveMQ to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Users of both “Classic” and “Artemis” are recommended to upgrade.

A lot of Indicators of Compromise (IOCs) can be found in this FBI report.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.