• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Apache ActiveMQ Ransomware Attack

Released: Nov 06, 2023

Updated: Nov 06, 2023

Download PDF »

Apache ActiveMQ Attack

High Severity

Apache Vendor

Vulnerability, Ransomware Type

Watch Video

Ransomware attackers actively targeting Apache ActiveMQ flaw

Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604). Learn More »

Common Vulnerabilities and Exposures

CVE-2023-46604

Background

Apache ActiveMQ is a popular open source message broker – a program that translates a messages from one messaging protocol to another, allowing communication between diverse services and systems. ActiveMQ supports a variety of protocols, including OpenWire, MQTT (messaging protocol for IoT), AMQP (protocol for business messaging and IoT device management), REST, STOMP, etc. This vulnerability CVE2023-46604, may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Technical details and proof-of-concept (PoC) code for CVE-2023-46604 are publicly available and could be leveraged by other threat groups looking to exploit the vulnerability. As of 6th Oct, 2023, according to shadow server there are more than 3000+ servers accessible for the internet which are vulnerable to CVE-2023-46604. https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=activemq&tag=cve-2023-46604&style=stacked

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 97.25%
FortiGuard Telemetry 269

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Oct, 2023: Apache released an advisory:
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt

Oct 25, 2023: Apache released the patch fix for CVE-2023-46604
https://activemq.apache.org/components/classic/download/

Nov 02, 2023: CISA added CVE-2023-46604 to its known exploited list, KEV Catalog.


FortiGuard Labs recommends applying available patches for Apache ActiveMQ as soon as possible if not already done. Apache also has information on improving the security of ActiveMQ implementations. https://activemq.apache.org/security

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • Behavior Detection

  • IPS

DETECT

  • Outbreak Detection

  • Threat Hunting

  • IOC

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Vulnerability Management

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
93.189.46.81 ip Active
b6e0db27c2b3e62db616b0918a5d8ed8 file Active
gulf.moneroocean.stream domain Active
185.154.53.140 ip Active
45a7ef83238f5244738bb5e7e3dd6299 file Active
185.159.129.88 ip Active
185.156.179.225 ip Active
185.221.154.208 ip Active
185.237.224.182 ip Active
185.87.48.183 ip Active
212.22.77.79 ip Active
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b... file Active
ccef46c7edf9131ccffc47bd69eb743b file Active
157.230.184.142 ip Active
64.227.24.12 ip Active
109.237.96.124 ip Active
104.131.30.201 ip Active
34.81.218.76 ip Active
183.136.225.9 ip Active
207.38.87.6 ip Active
185.154.53.140:80 ip Active
42.112.28.216 ip Active
3edcde37dcecb1b5a70b727ea36521de file Active
7ef97450e84211f9f35d45e1e6ae1481 file Active
168.100.9.154 ip Active
202.28.229.174 ip Active
1136efb1a46d1f2d508162387f30dc4d file Active
http://202.28.229.174/win/kill.bat url Active
http://gulf.moneroocean.stream:10128/ url Active
156.96.155.233 ip Active
23.94.248.134 ip Active
194.34.246.90 ip Active
198.252.98.184 ip Active
5.161.136.176 ip Active
5.255.99.59 ip Active
34.81.218.76:9486 ip Active
hellokittycat.online domain Active
service@hellokittycat.online email Active
170.187.163.90 ip Active
66.228.40.98 ip Active
50.116.59.19 ip Active
http://50.19.48.59:82/kill.bat url Active
http://50.19.48.59:82/me.bat url Active
185.221.154.208:80 ip Active
167.248.133.52 ip Active
162.142.125.216 ip Active
194.165.16.111 ip Active
50.19.48.59 ip Active
50.19.48.59:82 ip Active
165.22.16.135 ip Active
http://50.19.48.59:82/me1.bat url Active
http://50.19.48.59:82/prx.bat url Active
102.130.112.157 ip Active
185.122.204.197 ip Active
143.42.173.101 ip Active
143.42.173.60 ip Active
143.42.164.97 ip Active
143.42.164.34 ip Active
http://31.184.240.34/x url Active
31.184.240.34 ip Active
65.49.1.38 ip Active
6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795a... file Active
b9e79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a... file Active
http://109.248.59.253/ url Active
http://185.224.212.104/ url Active
http://185.237.224.182/ url Active
http://194.169.160.157/ url Active
http://212.22.77.79/ url Active
http://31.184.240.34/x2 url Active
http://91.240.87.98/ url Active
http://93.189.42.217/ url Active
http://93.189.46.81/ url Active
https://rolibztiz3zfysof5q2rja6airtmbw74am4oc4r... url Active
rolibztiz3zfysof5q2rja6airtmbw74am4oc4rgqsh3kti... domain Active
http://185.221.154.208/ url Active
109.248.59.253 ip Active
185.224.212.104 ip Active
194.169.160.157 ip Active
91.240.87.98 ip Active
93.189.42.217 ip Active
34.100.208.153 ip Active
183.136.225.29 ip Active
787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526... file Active
c6fbd6896d162a12d9c900056781eb82f44649945808b7b... file Active
62.233.50.101 ip Active
http://185.122.204.197/unk.sh url Active
27.102.128.152 ip Active
199.45.155.17 ip Active
68.69.186.14 ip Active
8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc9... file Active
8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d... file Active
c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe3... file Active
http://172.245.16.125/m2.png url Active
http://172.245.16.125/m4.png url Active
172.245.16.125 ip Active
159.203.182.45 ip Active
172.245.16.125:80 ip Active
45.32.120.181 ip Active
4c9fa87e72fe59cf15131bd2f3bd7baa7a9555ceec438c1... file Active
dd13cf13c1fbdc76da63e76adcf36727cfe594e60af0dc8... file Active