Full Report
AhnLab SEcurity intelligence Response Center (ASEC) has covered the attack cases targeting CVE-2023-46604 vulnerability in past blog posts. Systems without vulnerability patch are still being targeted, cases show that their intention is to mainly install CoinMiners. Recently, threat actors using Mauri ransomware have been found exploiting the Apache ActiveMQ vulnerability to attack Korean systems. […] 게시물 Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: ActiveMQ RCE Leading to CoinMiners, RATs, and Ransomware Deployment
## Executive Summary
Threat actors are actively exploiting the unpatched remote code execution vulnerability (CVE-2023-46604) in external-facing Apache ActiveMQ servers, primarily targeting Korean systems. The exploitation chain involved manipulating the OpenWire protocol to achieve RCE, leading to the deployment of various malware, including CoinMiners, the Quasar Remote Access Trojan (RAT), and components associated with the Mauri ransomware operation, with the primary goal of establishing persistent remote control. The response primarily centered on immediate patching and securing affected services.
## Incident Details
- **Discovery Date:** Ongoing monitoring indicated continuous targeting following disclosure.
- **Incident Date:** Commenced shortly after the public disclosure of CVE-2023-46604.
- **Affected Organization:** Korean systems running vulnerable Apache ActiveMQ servers.
- **Sector:** Not explicitly stated, but system-level compromise suggests IT/Infrastructure exposure.
- **Geography:** Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Shortly after CVE-2023-46604 disclosure (ongoing).
- **Vector:** Exploitation of CVE-2023-46604 in Apache ActiveMQ.
- **Details:** Attackers send modified packets using the OpenWire protocol, manipulating the serialized class type to reference a malicious XML configuration file hosted on an external server (e.g., `hxxp://18[.]139[.]156[.]111:83/pocw.xml`). The vulnerable server executes commands specified within this file.
### Lateral Movement
- **Details:** The use of FRP (Frpc) suggests an intent to expose internal services (like RDP port 3389) externally for better command and control or follow-on access. Backdoor account creation (`adminCaloX1`, `Hell0$`) facilitates persistent remote management.
### Data Exfiltration/Impact
- **Details:** Goals observed include CoinMiner installation, deployment of Quasar RAT for comprehensive remote control (keylogging, file/registry management), and suspected deployment of Mauri ransomware components (evidenced by configuration files on the download server).
### Detection & Response
- **Details:** Detection occurred through monitoring service logs showing continuous CoinMiner installation attempts and subsequent analysis of malware downloaded by the vulnerable ActiveMQ process. Response involved identifying installed tools and advising immediate patching.
## Attack Methodology
- **Initial Access:** Remote Code Execution (RCE) via CVE-2023-46604 in Apache ActiveMQ (OpenWire protocol manipulation).
- **Persistence:** Creation of backdoor user accounts (`adminCaloX1`, hidden account `Hell0$`) often using the `CreateHiddenAccount` tool, and installation of Quasar RAT.
- **Privilege Escalation:** Implied via the RCE capability, allowing execution of commands to register new administrator accounts.
- **Defense Evasion:** Use of the legitimate open-source tool `CreateHiddenAccount` to hide new user accounts.
- **Credential Access:** Quasar RAT features keylogging and account information collection.
- **Discovery:** Not explicitly detailed, but typical post-exploitation reconnaissance would occur via the installed RAT/direct command execution.
- **Lateral Movement:** Use of Frpc to proxy RDP (port 3389) access outwards, likely enabling easier access to other internal systems.
- **Collection:** Quasar RAT capabilities likely used for file/registry collection.
- **Exfiltration:** Not explicitly detailed, but standard for RAT operations.
- **Impact:** Cryptocurrency mining, persistent remote control via RAT, potential data theft, and ransomware deployment readiness.
## Impact Assessment
- **Financial:** Potential cryptocurrency losses from mining; costs associated with incident response and remediation.
- **Data Breach:** High risk due to Quasar RAT capabilities (keylogging, account access, file manipulation).
- **Operational:** System compromise possibly leading to resource degradation (CoinMiners) and full loss of administrative control (RAT/RDP backdoors).
- **Reputational:** Damage due to compromises involving known malware strains like Mauri and Andariel group activity.
## Indicators of Compromise
- **Network indicators (Defanged):**
- C&C/Download Server: `hxxp://18[.]139[.]156[.]111`
- Quasar RAT C&C Port: `:4782`
- **File indicators:**
- Malicious XML configuration files (e.g., `pocw.xml`).
- Downloaded executables (though specific final malware hashes were not provided, examples include CoinMiners, Frpc, Quasar RAT payloads).
- `user.zip` containing `CreateHiddenAccount_v0.2.exe` and `user.bat`.
- **Behavioral indicators:**
- Malicious deserialization attempts against the OpenWire protocol.
- Creation of new local administrator accounts (e.g., `adminCaloX1`, `Hell0$`).
- Installation of FRP client (`Frpc`) to tunnel RDP port 3389 outwards.
## Response Actions
- **Containment measures:** Identifying and isolating affected servers running vulnerable Apache ActiveMQ versions.
- **Eradication steps:** Removing malware (CoinMiners, Quasar RAT), deleting unauthorized user accounts (`adminCaloX1`, `Hell0$`), and terminating processes initiated by the ActiveMQ service.
- **Recovery actions:** Applying the latest security patches for Apache ActiveMQ immediately to close the RCE vector, and potentially forensic analysis on compromised systems.
## Lessons Learned
- **Key takeaways:** Unpatched, externally exposed services like Apache ActiveMQ remain primary targets for immediate RCE exploitation. Attackers quickly pivot from simple cryptocurrency mining to sophisticated remote access and potential ransomware deployment.
- **What could have been done better:** Proactive vulnerability scanning and immediate patching of known critical CVEs, especially those leading to RCE, are crucial. Network segmentation should restrict external access to internal messaging servers like ActiveMQ.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Patch Management:** Immediately update Apache ActiveMQ to versions not affected by CVE-2023-46604.
2. **Network Security:** Implement strict firewall rules to restrict external access only to necessary ports, preventing direct public exposure of internal application servers like ActiveMQ.
3. **Monitoring:** Enhance logging and monitoring specifically for unusual process execution originating from known application services (e.g., Java processes running ActiveMQ).
4. **Tool Usage Audit:** Be aware that sophisticated threat actors utilize publicly available tools (like those found on GitHub) for defense evasion, necessitating controls over tool execution environments.