HelloKitty ransomware deployed via critical Apache ActiveMQ flaw

Attackers have begun exploiting a critical remote code execution vulnerability patched last week in Apache ActiveMQ to deploy ransomware in enterprise networks. Users are urged to upgrade the software as soon as possible. “Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments,” researchers from security firm Rapid7 said in a report. “In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations.”

Based on the ransom note left behind and other details of the attack, Rapid7 believes the attackers deployed the HelloKitty ransomware program whose source code was leaked on underground forums earlier this month.

A critical Java deserialization flaw

Apache ActiveMQ is a Java open-source message broker that supports several transmission protocols for transferring messages and data between different applications and clients written in different programming languages. It is a popular middleware used in developing enterprise software solutions.

On October 25, developers of ActiveMQ released security updates to patch a critical vulnerability tracked as CVE-2023-46604 that can lead to remote code execution. Vulnerability details and a proof-of-concept exploit have since been posted online by security researchers. “The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath,” the official advisory reads.

According to Rapid7, the flaw stems from insecure deserialization. Serialization is the conversion of data into a binary format for transmission over the wire and is a common technique used in Java applications. Deserialization is the reversal of that process that happens at the receiving end and if the original input is not properly sanitized, it can lead to security issues. Java deserialization is its own category of vulnerabilities that has grown in popularity in recent years with many projects affected by such flaws.

The HelloKitty ransomware

HelloKitty is a ransomware program that first appeared in 2020 and has been issued in several high-profile attacks, including one against game studio CD Projekt Red in February 2021 when attackers claimed to have stolen the source code for several popular games including Cyberpunk 2077, Witcher 3, and Gwent.