The exploitation of a critical security flaw in Apache ActiveMQ, identified as CVE-2023-46604 with a CVSS score of 10.0, has raised significant concerns in the cybersecurity community.
This remote code execution vulnerability allows threat actors to execute arbitrary shell commands and has been actively exploited by ransomware outfits, deploying malware such as HelloKitty and a strain resembling TellYouThePass, as well as a remote access trojan named SparkRAT.
Apache addressed the vulnerability in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3 released in the previous month. The attacks leveraging this flaw have been traced back to a public proof-of-concept (PoC) exploit disclosed on October 25, 2023, and are characterized as noisy by security researchers.
VulnCheck, in its new findings, highlighted that threat actors are using the ClassPathXmlApplicationContext, a class within the Spring framework available in ActiveMQ, to load a malicious XML bean configuration file over HTTP. This enables unauthenticated remote code execution on the server. Notably, the attackers could have avoided dropping tools to disk by writing their encryptor in Nashorn or loading a class/JAR into memory, making the attack more stealthy. However, this approach triggers an exception message in the activemq.log file, requiring attackers to take additional steps to clean up the forensic trail.
The significance of patching ActiveMQ servers and considering removal from the internet is emphasized by Jacob Baines, the Chief Technology Officer at VulnCheck. The exploitation of CVE-2023-46604 highlights the importance of proactive security measures to mitigate the risk of remote code execution and potential compromise of systems.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
