TellYouThePass ransomware joins Apache ActiveMQ RCE attacks

Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day.

The flaw, tracked as CVE-2023-46604, is a maximum severity bug in the ActiveMQ scalable open-source message broker that enables unauthenticated attackers to execute arbitrary shell commands on vulnerable servers.

While Apache released security updates to fix the vulnerability on October 27, cybersecurity companies ArcticWolf and Huntress Labs found that threat actors have been exploiting it as a zero-day to deploy SparkRAT malware for over two weeks, since at least October 10.

According to data from the threat monitoring service ShadowServer, there are currently more than 9,200 Apache ActiveMQ servers exposed online, with over 4,770 vulnerable to CVE-2023-46604 exploits.

Since Apache ActiveMQ is used as a message broker in enterprise environments, applying the security updates should be considered time-sensitive.

Admins are advised to patch all vulnerable systems immediately by upgrading to ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

Servers unpatched against CVE-2023-46604 (ShadowServer)

Targeted by ransomware gangs

One week after Apache patched this critical ActiveMQ vulnerability, Huntress Labs and Rapid7 both reported spotting attackers exploiting the bug to deploy HelloKitty ransomware payloads on customers' networks.

The attacks observed by both cybersecurity companies' security researchers started on October 27, just days after Apache released security patches.

Arctic Wolf Labs revealed in a report published one day later that threat actors actively exploiting the CVE-2023-46604 flaw also use it for initial access in attacks targeting Linux systems and pushing TellYouThePass ransomware.

The security researchers also found similarities between the HelloKitty and TellYouThePass attacks, with both campaigns sharing "email address, infrastructure, as well as bitcoin wallet addresses."

"Evidence of exploitation of CVE-2023-46604 in the wild from an assortment of threat actors with differing objectives demonstrates the need for rapid remediation of this vulnerability," Arctic Wolf researchers warned.

TellYouThePass ransomware has seen a massive and sudden spike in activity after Log4Shell proof-of-concept exploits were released online two years ago.

With its return as a Golang-compiled malware in December 2021, the ransomware strain also added cross-platform targeting capabilities, making it possible to attack Linux and macOS systems (macOS samples are yet to be spotted in the wild).