Mauri Ransomware Exploits Apache ActiveMQ Flaw
Summary:
AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems. CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server, an open-source messaging and integrated pattern server. If an unpatched Apache ActiveMQ server is public-facing, the threat actor can execute malicious commands remotely and dominate the target system. Vulnerability attacks are carried out by making an instance out of the class in classpath by manipulating the serialized class type in the OpenWire protocol. When the threat actor sends the modified packet, the vulnerable server references the path (URL) in the packet to load the class XML configuration file. Adversaries like Andariel group, HelloKitty ransomware, and Cobalt Strike began exploiting this flaw shortly after it was disclosed on systems in Korea. The targeted systems had Apache ActiveMQ servers installed, and logs show continuous attempts by CoinMiner attackers to install malware. Mauri ransomware threat actors are suspected of exploiting the vulnerability, resulting in Frpc being installed by the vulnerable ActiveMQ process. FRP (Fast Reverse Proxy) is an open-source tool developed in Go language that can operate as a reverse proxy to expose systems located behind NAT or firewalls to the outside. FRP is divided into Frpc and Frps, with Frpc being the tool installed on infected systems to connect the port of the service to be exposed with an external relay. The XML files are used sequentially by the threat actor, with the first type adding a backdoor account named “adminCaloX1” and executing commands to register it as an admin account and enable remote access. There are also commands that enable RDP access on other systems within a private network, showcasing lateral movement capabilities.
The threat actor’s download server also hosts Quasar RAT, and since the C&C server shares the same address as the download server, it appears that Quasar RAT is used in addition to remote control using RDP. Although actual attack cases have not yet been confirmed, Mauri ransomware has been uploaded to the download server. Mauri ransomware is ransomware developed by a developer named “mauri870” for research purposes. The C&C server’s address being Localhost and the presence of Mauri’s server program on the download server suggests that it might still be for testing purposes. However, considering that several configuration data, such as wallet addresses, Telegram addresses, and encryption settings, have already been altered by the threat actor, it is likely Mauri ransomware is being used in ongoing attacks.
Security Officer Comments:
Many threat actors, not just Mauri ransomware operators, are continuously launching attacks against vulnerable Apache ActiveMQ servers. In these identified attacks, there were cases where CoinMiners were installed for cryptocurrency mining as well as cases where malware strains were utilized to control the victim’s system. Installing backdoors after the initial compromise gives the attacker the opportunity to steal data or deploy ransomware during their operations. Defenders should verify their current Apache ActiveMQ service is not susceptible to these attacks and apply the latest patches to mitigate CVE-2023-46604 and prevent similar attacks. System administrators are encouraged to use security software like firewalls and EDR solutions.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://securityonline.info/mauri-ransomware-exploits-apache-activemq-flaw-cve-2023-46604/
https://asec.ahnlab.com/en/85000/
AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems. CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server, an open-source messaging and integrated pattern server. If an unpatched Apache ActiveMQ server is public-facing, the threat actor can execute malicious commands remotely and dominate the target system. Vulnerability attacks are carried out by making an instance out of the class in classpath by manipulating the serialized class type in the OpenWire protocol. When the threat actor sends the modified packet, the vulnerable server references the path (URL) in the packet to load the class XML configuration file. Adversaries like Andariel group, HelloKitty ransomware, and Cobalt Strike began exploiting this flaw shortly after it was disclosed on systems in Korea. The targeted systems had Apache ActiveMQ servers installed, and logs show continuous attempts by CoinMiner attackers to install malware. Mauri ransomware threat actors are suspected of exploiting the vulnerability, resulting in Frpc being installed by the vulnerable ActiveMQ process. FRP (Fast Reverse Proxy) is an open-source tool developed in Go language that can operate as a reverse proxy to expose systems located behind NAT or firewalls to the outside. FRP is divided into Frpc and Frps, with Frpc being the tool installed on infected systems to connect the port of the service to be exposed with an external relay. The XML files are used sequentially by the threat actor, with the first type adding a backdoor account named “adminCaloX1” and executing commands to register it as an admin account and enable remote access. There are also commands that enable RDP access on other systems within a private network, showcasing lateral movement capabilities.
The threat actor’s download server also hosts Quasar RAT, and since the C&C server shares the same address as the download server, it appears that Quasar RAT is used in addition to remote control using RDP. Although actual attack cases have not yet been confirmed, Mauri ransomware has been uploaded to the download server. Mauri ransomware is ransomware developed by a developer named “mauri870” for research purposes. The C&C server’s address being Localhost and the presence of Mauri’s server program on the download server suggests that it might still be for testing purposes. However, considering that several configuration data, such as wallet addresses, Telegram addresses, and encryption settings, have already been altered by the threat actor, it is likely Mauri ransomware is being used in ongoing attacks.
Security Officer Comments:
Many threat actors, not just Mauri ransomware operators, are continuously launching attacks against vulnerable Apache ActiveMQ servers. In these identified attacks, there were cases where CoinMiners were installed for cryptocurrency mining as well as cases where malware strains were utilized to control the victim’s system. Installing backdoors after the initial compromise gives the attacker the opportunity to steal data or deploy ransomware during their operations. Defenders should verify their current Apache ActiveMQ service is not susceptible to these attacks and apply the latest patches to mitigate CVE-2023-46604 and prevent similar attacks. System administrators are encouraged to use security software like firewalls and EDR solutions.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://securityonline.info/mauri-ransomware-exploits-apache-activemq-flaw-cve-2023-46604/
https://asec.ahnlab.com/en/85000/