Ransomware
Vulnerable Apache ActiveMQ servers subjected to HelloKitty ransomware attack
Organizations had their Apache ActiveMQ servers vulnerable to the maximum severity remote code execution flaw, tracked as CVE-2023-46604, targeted in attacks attributed to the HelloKitty ransomware operation, The Hacker News reports.
After exploiting the vulnerability, which has been fixed in recently released ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, threat actors leveraged the Windows installer to facilitate the loading of the M2.png and M4.png remote binaries, according to a Rapid7 report.
Further examination of both files showed the inclusion of a .NET executable enabling deployment of the EncDLL payload with ransomware functionality, which performs file encryption following process termination activities.
"Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October," said Rapid7 researchers.
Meanwhile, more than 3,300 ActiveMQ servers were noted by the Shadowserver Foundation to be vulnerable to CVE-2023-46604, most of which are in China, the U.S., and Germany.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds