HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks

The HelloKitty ransomware operation is exploiting a recently disclosed Apache ActiveMQ remote code execution (RCE) flaw to breach networks and encrypt devices.

The flaw, tracked CVE-2023-46604, is a critical severity (CVSS v3 score: 10.0) RCE allowing attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol.

The security problem was addressed in a security update on October 25, 2023. However, threat monitoring service ShadowServer reported that, as of October 30, there were still 3,329 internet-exposed servers using a version vulnerable to exploitation.

Yesterday, Rapid7 reported that they had seen at least two distinct cases of threat actors exploiting CVE-2023-46604 in customer environments to deploy HelloKitty ransomware binaries and extort the targeted organizations.

HelloKitty is a ransomware operation that launched in November 2020 and recently had its source code leaked on a Russian-speaking cybercrime forums making it available to anyone.

The attacks observed by Rapid7 started on October 27, two days after Apache released the security bulletin and fixes, so this appears to be a case of n-day exploitation.

Rapid7 analyzed two MSI files disguised as PNG images, fetched from a suspicious domain, and found that they contain a .NET executable that loads a base64-encoded .NET DLL named EncDLL.

EncDLL is responsible for seeking and stopping specific processes, encrypting files with the RSACryptoServiceProvider function, and appending a ".locked" extension to them.

Some artifacts left behind by these attacks include:

Java.exe running with an Apache application as the parent process, which is atypical. Loading of remote binaries named M2.png and M4.png via MSIExec, indicative of malicious activity. Repeated, failed attempts to encrypt files, signaling clumsy exploitation efforts. Log entries in activemq.log showing warnings about transport connections failing due to an aborted connection, which can suggest exploitation. Presence of files or network communications associated with the HelloKitty ransomware, identifiable by specific domains and file hashes.

The Rapid7 report contains information about the latest HelloKitty indicators of compromise, but more comprehensive data on that front can be found in this FBI report focused on the ransomware family.

The latest ShadowServer stats show that there are still thousands of vulnerable ActiveMQ instances out there, so administrators are urged to apply the available security updates as soon as possible.

Vulnerable versions range between 5.15 and 5.18, including Legacy OpenWire Module versions, are fixed in versions are 5.15.16, 5.16.7, 5.17.6, and 5.18.3.