Apache ActiveMQ Servers Exploited by HelloKitty Ransomware

HelloKitty Ransomware Apache ActiveMQ

In the ever-evolving landscape of cyber threats, a new alarm has been sounded for Apache ActiveMQ server administrators. Rapid7’s Managed Detection and Response team has identified active exploitations leveraging the CVE-2023-46604 vulnerability, casting a shadow over the digital security of various organizations. With stealth and precision, the attackers deployed their ransomware binaries, ushering in chaos and the imminent threat of organizational paralysis.

On Friday, October 27, two distinct customer environments became the playground for cyber felons. Their weapon of choice? The notorious HelloKitty ransomware, whose blueprints had seeped into the dark crevices of the internet earlier that month. The similarity in the modus operandi across these incidents pointed to a chilling reality—the vulnerability was a ticking time bomb in systems housing outdated ActiveMQ versions.

Apache disclosed the vulnerability and released new versions of ActiveMQ on October 25, 2023. Proof-of-concept exploit code and vulnerability details are both publicly available.

Patchwork against the digital storm was made available, with recommended upgrade targets spanning versions 5.15.16 to 5.18.3. The exploitation pattern was consistent—Java.exe would betray the presence of the vulnerable application, with D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64 often seen as the unwitting host to the malicious process.

Security researchers at Rapid7 have observed hackers exploiting the vulnerability to deploy the HelloKitty ransomware on target systems. The ransomware is distributed as MSI files named M2.png and M4.png, which are loaded using MSIExec. Once loaded, the ransomware encrypts specific file extensions using the RSACryptoServiceProvider function and appends the .locked extension to encrypted files.

Rapid7 has also observed that the ransomware attempts to communicate with an HTTP server at 172.245.16[.]125. The ransomware note indicates that communications should occur through the email address service@hellokittycat[.]online.
Rapid7’s analysis of the suspect MSI files—masquerading as harmless images—revealed a cunningly disguised .NET executable named dllloader. This executable was the chariot carrying the EncDLL binary, a payload with a purpose akin to ransomware. It executed a systematic search and halt of processes, brandishing the RSACryptoServiceProvider function to lock files away, beyond reach.

To protect yourself from Apache ActiveMQ CVE-2023-46604, you should upgrade to the latest version of ActiveMQ as soon as possible.