Mauri Ransomware Exploits Apache ActiveMQ Flaw (CVE-2023-46604)
The AhnLab Security Intelligence Response Center (ASEC) has revealed that threat actors exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, have begun deploying Mauri ransomware in their attacks. This vulnerability allows attackers to execute malicious commands remotely on unpatched servers, potentially leading to data breaches, system compromises, or ransomware deployments.
Apache ActiveMQ is a popular open-source messaging server. CVE-2023-46604 is a remote code execution vulnerability that arises when attackers manipulate the serialized class type in the OpenWire protocol to load malicious XML configuration files. As ASEC notes, “If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and dominate the target system.”
This vulnerability has been actively exploited by several threat groups, including those behind Andariel, HelloKitty ransomware, and now Mauri ransomware. Unpatched systems remain highly vulnerable, with attackers installing tools like CoinMiners, AnyDesk, and the z0Miner malware in addition to deploying ransomware.
ASEC reports that Mauri ransomware, known for its file-encrypting capabilities, is being distributed via compromised ActiveMQ servers. The infection chain begins with a targeted attack exploiting CVE-2023-46604, enabling attackers to gain remote access and install malicious software. The Mauri ransomware encrypts files using AES-256 CTR encryption and appends the .locked extension. Victims are greeted with ransom notes named “READ_TO_DECRYPT.html” or “FILES_ENCRYPTED.html.”
Although the Mauri ransomware source code is publicly available for research, threat actors have customized it for active campaigns. “Several configuration data, such as wallet addresses, Telegram addresses, and encryption settings, have already been altered by the threat actor,” ASEC highlights.
Threat actors utilizing this vulnerability don’t rely solely on ransomware. ASEC identified additional methods to maintain persistence and access:
- Backdoor Accounts: Attackers created hidden accounts, such as “adminCaloX1,” to enable Remote Desktop Protocol (RDP) access and maintain control over infected systems.
- Remote Access Trojans: Quasar RAT, a .NET-based open-source malware, was deployed to steal credentials, enable keylogging, and execute commands on compromised systems.
- Proxy Tools: Fast Reverse Proxy (FRP) was used to expose infected systems behind NAT or firewalls, facilitating remote connections to RDP services.
To protect against these attacks, ASEC recommends:
- Patch Vulnerable Systems: Ensure all Apache ActiveMQ instances are updated to secure versions.
- Vulnerable versions include 5.18.0–5.18.2, 5.17.0–5.17.5, 5.16.0–5.16.6, and earlier.
- Restrict External Access: Use firewalls to limit exposure of servers to external threats.
- Monitor for Suspicious Activity: Implement endpoint security measures to detect unauthorized access or the creation of hidden accounts.
Related Posts:
- Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
- Vulnerable Microsoft SQL Server are being targeted by hackers
- North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
- Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability