Apache ActiveMQ Vulnerability actively exploited, HelloKitty Ransomware gang leading the attacks
Take action: If you are using Apache ActiveMQ, PATCH NOW. You were probably still lucky not to get hacked but that will change very soon.
A critical security vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604 (CVSS score 10), has been subject to attacks by ransomware crime group, notably from the HelloKitty gang.
This flaw permits remote code execution, and is present in multiple versions of Apache ActiveMQ and its OpenWire Module, with patches released for versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3. Despite the availability of these fixes, an alarmingly low number of services have been updated, leaving thousands of servers at risk.
The exploitation of this vulnerability has been clumsy, with numerous failed attempts to encrypt files, suggesting the possible involvement of a low-skilled individual or group. The HelloKitty ransomware group, known for its 2021 attack on CD Projekt Red and its regular changes in tactics and tooling, has been tentatively linked to these attacks.
The majority of unpatched and vulnerable services are located in China, followed by the United States and Germany. Shadowserver Foundation's latest data from November 1 indicates that the vulnerability is still widely unaddressed, with most of the 3,329 vulnerable services located in these countries remaining unpatched.