HelloKitty Ransomware Operators Exploit Apache ActiveMQ Vulnerability


November 2, 2023

World map

Researchers have observed the potential exploitation of a recently disclosed critical vulnerability in the Apache ActiveMQ open-source message broker service (CVE-2023-46604) that could allow remote code execution and arbitrary shell commands.

The vulnerability earned an alarming maximum severity CVSS score of 10.0, and a patch was made available in ActiveMQ version releases 5.15.16, 5.16.7, 5.17.6, or 5.18.3 in late October.

"In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," The Hacker News reports the researchers stating.

"Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October."

Takeaway: Today’s ransomware attacks more frequently employing techniques that are far more advanced than the ransomware campaigns of even just a year or two ago.

Ransomware is big business, with revenue in the billions of dollars. The attackers are taking a significant amount of those proceeds and reinvesting in the hiring of skilled developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt faster.

Attackers are automating scans that search for vulnerabilities to exploit as we have seen in the disruptive Cl0p campaigns targeting MoveIT and GoAnywhere software bugs, they are creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

We have also seen an increasing level of overlap between what were previously state-sponsored APT operations and those of cybercriminal ransomware attackers, including leveraging zero-day exploits and advanced techniques like DLL side-loading.

Also, the development of Linux versions by many of the most prevalent RaaS providers is particularly concerning, as Linux systems tend to run some of the most important networks, including those running our critical infrastructure.

Organizations need to assume they will be the victim of a ransomware attack and focus on implementing a ransomware resilience strategy to have contingencies in place to recover as quickly as possible.  

This includes endpoint protection solutions, aggressive patch management, segmented data backups, access controls, staff awareness training, and organizational procedure and resilience testing to be successful.

Organizations need to run regular tabletop exercises and ensure all stakeholders are ready and available to respond to an attack at all times. A determined attacker with enough time and resources is going to find a way around security controls. Planning to be resilient in the aftermath of a successful ransomware attack is the best advice.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.