CVE-2023-46604 Detection: HelloKitty Ransomware Maintainers Exploits RCE Vulnerability in Apache ActiveMQ

At the turn of November, hot over the heels of disclosing CVE-2023-43208, the Mirth Connect vulnerability, another security bug comes to the scene. Defenders notify the global community of a newly uncovered the highest severity RCE bug that affects Apache ActiveMQ products.

Detect CVE-2023-46604

With emerging vulnerabilities being a juicy target for adversaries seeking to weaponize bugs for future attacks, security professionals require a reliable source of detection content to stay on top of new threats and defend proactively. SOC Prime Team has recently released a curated Sigma rule aimed to identify possible CVE-2023-46604 exploitation attempts, a critical bug in Apache ActiveMQ being actively exploited in the wild by ransomware operators. 

Possible CVE-2023-46604 (Apache ActiveMQ Remote Code Execution) Exploitation Indicators (via keywords)

The rule above helps to detect malicious activity associated with CVE-2023-46604 exploitation attempts. The detection is compatible with 15 SIEM, EDR, XDR, and Data Lake formats and mapped to MITRE ATT&CK framework addressing Privilege Escalation tactics, with Exploitation for Privilege Escalation (T1068) as a main technique.

To explore the entire collection of Sigma rules for trending CVEs, dive into our Threat Detection Marketplace repo which aggregates thousands of curated detections accompanied by extensive metadata, ATT&CK and CTI references, triage recommendations, and other relevant details. Just hit the Explore Detections button below and drill down to the detection rule set to assist in your threat investigation.

Explore Detections

CVE-2023-46604 Description

An inquiry by Rapid7 unveils potential exploitation attempts of a new RCE flaw in Apache ActiveMQ tracked as CVE-2023-46604 in two separate client settings. Possessing the CVSS score of 10.0, the uncovered security flaw poses severe risks to the compromised users. 

Attackers attempted to install ransomware binaries on the impacted devices, with the intention of extorting the targeted organizations. Researchers link the malicious activity with the HelloKitty ransomware operators based on the ransom note and the proof they gained throughout the investigation related to the group’s leaked source code a month ago. 

CVE-2023-46604 enables a remote actor, with network access to a broker, to execute arbitrary shell commands. This could be achieved by abusing serialized class types within the OpenWire protocol, prompting the broker to create instances of any class available on the classpath. After successfully exploiting CVE-2023-46604, adversaries proceed to load remote binaries named using the Windows Installer. They both contain a 32-bit .NET executable named “dllloader,” which in turn, loads a Base64-encoded payload that acts similarly to ransomware. 

The PoC exploit code for CVE-2023-46604 is also released on GitHub. Defenders state that currently over 3,000 ActiveMQ installations might be exposed to the CVE-2023-46604 exploitation attempts. Rapid7 researchers have also issued in-depth technical highlights of CVE-2023-46604 in AttackerKB, covering the exploit details and remediation measures. 

According to Apache’s advisory, to mitigate the threat, potentially affected users are urged to install the software version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 with available fixes for the issue.

Due to the active exploitation of CVE-2023-46604 and the PoC public disclosure, defenders need ultra-responsiveness to minimize the risks. Explore SOC Prime’s Threat Detection Marketplace to keep up with the most up-to-date detection algorithms for any CVEs, the latest attacker TTPs, and tailored threat intelligence linked to the detection content for enhanced cybersecurity posture.