One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8620767 |
| Date de publication | 2024-12-06 16:17:50 (vue: 2024-12-06 17:08:36) |
| Titre | Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604) |
| Texte | ## Snapshot Researchers at AhnLab Security intelligence Response Center (ASEC) have identified that the [CVE-2023-46604](https://security.microsoft.com/intel-profiles/CVE-2023-46604) vulnerability in Apache ActiveMQ servers is being exploited on Korean systems. This vulnerability allows remote code execution by manipulating serialized class types in the OpenWire protocol. ## Description The vulnerability began to be actively exploited soon after its disclosure, with incidents linked to the Andariel group and [HelloKitty](https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/) ransomware. The targeting of unpatched systems has been continuous, with attackers deploying tools such as Ladon, Netcat, AnyDesk, and z0Miner to compromise environments. Recently, ASEC has observed evidence that Mauri ransomware threat actors are exploiting CVE-2023-46604, using Quasar RAT as part of the attack chain to exfiltrate information and gain control over systems through remote desktop. While no Mauri ransomware attacks have been confirmed, ASEC notes that Mauri ransomware has been uploaded to the download server. ## Microsoft Analysis and Additional OSINT Context Microsoft Threat Intelligence has identified threat activity exploiting CVE-2023-46604 to facilitate HelloKitty ransomware attacks. The threat actor exploited CVE-2023-46604 to deliver and launch malicious MSI binaries using misexec.exe. The actor then tampered with system services and launched the ransomware. Microsoft has also observed indicators of additional activity targeting ActiveMQ since late October 2023, though the exploitation method was not confirmed. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Due to active attacks in the wild and the availability of exploitation details, organizations should upgrade affected servers immediately. According to Apache, upgrade ActiveMQ servers to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to address this issue. - Review logs and alerts for any indications of exploitation or post-compromise activity on affected servers, such as malicious files dropped and executed via the msiexec.exe command. Upgrading ActiveMQ will not remediate any attacker artifacts. - If evidence of exploitation is discovered, reset the credentials for accounts that have been used on the server, or have logged onto the server. Any service accounts related to ActiveMQ should also have their credentials rotated. - Harden servers by following Apache\'s [ActiveMQ security recommendations](https://activemq.apache.org/security). Enabling authentication for brokers can prevent an attacker from moving laterally to another broker without proper authentication. - Refer to our threat overview on [human-operated ransomwar](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport?ocid=magicti_ta_ta2)e for recommendations on security hardening and monitoring to defend against ransomware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Run Endpoint Detection and Response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-b |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 2023 2024 2024** 365/security/defender 46604 46604/ 496d ability access accessed according accounts active actively activemq activity actor actors ad3c additional address administrators advanced affected after against age ahnlab alerts all allows also analysis andariel another antivirus any anydesk apache are artifacts asec associated attack attacker attackers attacks authentication availability based baseline been began behind being binaries block breach broker brokers c6a795a33c27/analystreport can card center chain check class classes cloud code com/blog/post/2023/11/01/etr com/en com/en/85000/ com/intel com/microsoft com/security/privileged com/threatanalytics3/05658b6c command common compromise compromised configured confirmed containing content context continuous control controls copyright cover credential credentials criterion customers cve dc62 defend defender deliver delivered deployed deploying deployment description desktop details detect detected detection detections/hunting directory disclosure discovered distribution does download dropped due edr effective enabling endpoint endpoint/attack endpoint/configure endpoint/edr ensure enterprise entire environment environments equivalent escalate escalation even evidence evolving exe executable executed execution exfiltrate expert experts exploitation exploited exploiting facilitate features files first focused follow following from gain goal group guidance harden hardening has have hellokitty https://activemq https://asec https://learn https://security https://www human identified immediately impact implement incidents indicate indications indicators information inhibit intelligence issue its korean ladon late laterally launch launched learndoc learning legacy leverage linked list logged logs machine machines majority malicious manipulating mauri mde meet method microsoft might misexec mitigations mode model model#evolution monitored monitoring move moving msi msiexec netcat new non not notes observed ocid=magicti october onto on on openwire operated optimal org/security organizations osint over overview part passive permission post premises prevalence prevent privilege privileges product profiles/cve prohibited proper protection protections protocol provide quasar queries ransomwar ransomware rapid7 rapidly rat recently recommendations recommends reduce reduction refer reference reference#block references related remediate remote replaces reproduction researchers reserved reset response response review rights rotated rules run running scenes security serialized server servers service services sets settings should sight since site snapshot soon status stopping such supersedes surface suspected sweeping system systems ta2 tampered tampering targeting techniques then thereof these though threat threats: through tier tools triggered trusted turn types typical unauthorized unknown unless unpatched unrelated upgrade upgrading uploaded us/microsoft used using variants version view=o365 vulnerability when wild will windows within without works workstations/privileged worldwide worldwide#use written your z0miner to which in so |
| Tags | Ransomware Tool Vulnerability Threat |
| Stories | APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.