Article Details
Scrape Timestamp (UTC): 2023-11-15 13:51:01.410
Source: https://thehackernews.com/2023/11/new-poc-exploit-for-apache-activemq.html
Original Article Text
Click to Toggle View
New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar. Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month. The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT. According to new findings from VulnCheck, threat actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit originally disclosed on October 25, 2023. The attacks has been found to use ClassPathXmlApplicationContext, a class that's part of the Spring framework and available within ActiveMQ, to load a malicious XML bean configuration file over HTTP and achieve unauthenticated remote code execution on the server. VulnCheck, which characterized the method as noisy, has engineered a better exploit that relies on the FileSystemXmlApplicationContext class and embedding a specially crafted SpEL expression in place of the "init-method" attribute to achieve the same results and even obtain a reverse shell. "That means the threat actors could have avoided dropping their tools to disk," VulnCheck said. "They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory resident." However, it's worth noting that doing so triggers an exception message in the activemq.log file, necessitating that the attackers also take steps to clean up the forensic trail. "Now that we know attackers can execute stealthy attacks using CVE-2023-46604, it's become even more important to patch your ActiveMQ servers and, ideally, remove them from the internet entirely," the cybersecurity firm said.
Daily Brief Summary
A newly discovered technique allows attackers to execute code in memory by exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604.
The flaw has a severity rating of 10.0 and was patched in recent ActiveMQ versions, but it is actively being exploited by ransomware groups.
Ransomware such as HelloKitty and a variant akin to TellYouThePass, along with SparkRAT, a remote access trojan, have been deployed using this vulnerability.
Researchers at VulnCheck have developed an improved exploit that remains memory-resident, making it more stealthy and capable of obtaining a reverse shell.
The exploit involves loading malicious XML through the ClassPathXmlApplicationContext or the newly mentioned FileSystemXmlApplicationContext without writing to the disk.
Though the exploit is discreet, it still triggers an exception message in the activemq.log file, which requires attackers to clean up to avoid forensic detection.
Security professionals are urged to patch their ActiveMQ servers and consider removing them from public internet access to mitigate the risk of this stealthy exploit.