Mauri Ransomware Exploits Apache ActiveMQ Flaw (CVE-2023-46604)

### #MauriRansomware #ApacheActiveMQ #RemoteCodeExecution

Summary: A critical vulnerability in Apache ActiveMQ, CVE-2023-46604, is being exploited by threat actors to deploy Mauri ransomware, allowing remote command execution on unpatched servers. This vulnerability poses significant risks, including data breaches and system compromises.

Threat Actor: Various Groups | Mauri
Victim: Organizations using Apache ActiveMQ | Apache ActiveMQ

Key Point :

• Exploitation of CVE-2023-46604 allows attackers to execute malicious commands remotely on unpatched Apache ActiveMQ servers.
• Mauri ransomware encrypts files using AES-256 CTR encryption and appends the .locked extension, with ransom notes left for victims.
• Threat actors are also installing additional malware, such as CoinMiners and AnyDesk, to maintain access and control over compromised systems.
• ASEC recommends patching vulnerable systems, restricting external access, and monitoring for suspicious activity to mitigate risks.

The AhnLab Security Intelligence Response Center (ASEC) has revealed that threat actors exploiting a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, have begun deploying Mauri ransomware in their attacks. This vulnerability allows attackers to execute malicious commands remotely on unpatched servers, potentially leading to data breaches, system compromises, or ransomware deployments.

Apache ActiveMQ is a popular open-source messaging server. CVE-2023-46604 is a remote code execution vulnerability that arises when attackers manipulate the serialized class type in the OpenWire protocol to load malicious XML configuration files. As ASEC notes, “If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and dominate the target system.”

This vulnerability has been actively exploited by several threat groups, including those behind Andariel, HelloKitty ransomware, and now Mauri ransomware. Unpatched systems remain highly vulnerable, with attackers installing tools like CoinMiners, AnyDesk, and the z0Miner malware in addition to deploying ransomware.

ASEC reports that Mauri ransomware, known for its file-encrypting capabilities, is being distributed via compromised ActiveMQ servers. The infection chain begins with a targeted attack exploiting CVE-2023-46604, enabling attackers to gain remote access and install malicious software. The Mauri ransomware encrypts files using AES-256 CTR encryption and appends the .locked extension. Victims are greeted with ransom notes named “READ_TO_DECRYPT.html” or “FILES_ENCRYPTED.html.”

Although the Mauri ransomware source code is publicly available for research, threat actors have customized it for active campaigns. “Several configuration data, such as wallet addresses, Telegram addresses, and encryption settings, have already been altered by the threat actor,” ASEC highlights.

Threat actors utilizing this vulnerability don’t rely solely on ransomware. ASEC identified additional methods to maintain persistence and access:

• Backdoor Accounts: Attackers created hidden accounts, such as “adminCaloX1,” to enable Remote Desktop Protocol (RDP) access and maintain control over infected systems.
• Remote Access Trojans: Quasar RAT, a .NET-based open-source malware, was deployed to steal credentials, enable keylogging, and execute commands on compromised systems.
• Proxy Tools: Fast Reverse Proxy (FRP) was used to expose infected systems behind NAT or firewalls, facilitating remote connections to RDP services.

To protect against these attacks, ASEC recommends:

1. Patch Vulnerable Systems: Ensure all Apache ActiveMQ instances are updated to secure versions.
   • Vulnerable versions include 5.18.0–5.18.2, 5.17.0–5.17.5, 5.16.0–5.16.6, and earlier.
2. Restrict External Access: Use firewalls to limit exposure of servers to external threats.
3. Monitor for Suspicious Activity: Implement endpoint security measures to detect unauthorized access or the creation of hidden accounts.

Related Posts:

Source: https://securityonline.info/mauri-ransomware-exploits-apache-activemq-flaw-cve-2023-46604