Threat actors are actively exploiting the CVE-2023-46604 vulnerability to install CoinMiners and the Apache ActiveMQ vulnerability to deploy Mauri ransomware, primarily targeting Korean systems, while unpatched systems remain highly vulnerable to these attacks.
Vulnerability CVE-2023-46604 allows remote code execution on unpatched Apache ActiveMQ servers by manipulating serialized class types in OpenWire protocol packets, tricking the server into loading malicious class configurations from external URLs.
The disclosed vulnerability has been actively exploited by threat actors like Andariel, HelloKitty, and Cobalt Strike, targeting unpatched systems in Korea, where tools such as Ladon, Netcat, AnyDesk, and z0Miner have been used to compromise vulnerable systems.
CoinMiner attackers exploited an Apache ActiveMQ vulnerability to install Frpc malware, potentially linked to the Mauri ransomware group, by leveraging vulnerable ActiveMQ processes to execute malicious code.
The compromised server, hosting malware and legitimate tools, was exploited through a vulnerable Apache ActiveMQ process, which loaded a malicious XML configuration file from a remote server, enabling remote execution of arbitrary commands.
The threat actor leverages XML files sequentially to establish persistence by adding a backdoor account, enabling RDP access, and deploying Frpc for remote system control within private networks.
Abusing an ActiveMQ vulnerability, attackers leverage the CreateHiddenAccount tool (potentially from China) to add and conceal a backdoor account named “Hell0$” through a downloaded “user.zip” archive containing both the tool and a setup script.
Quasar RAT, a .NET-based open-source RAT, compromises systems to steal sensitive information like keystrokes and credentials, executes remote commands, and establishes remote desktop control, enabling malicious actors to manipulate infected machines.
The attacker leveraged the ActiveMQ vulnerability to deploy Frpc on compromised systems, which acting as a reverse proxy enables remote access to exposed services, potentially facilitating further attacks and data exfiltration.
Using Frpc, they tunnel the RDP port of the infected system to a compromised system in Korea, potentially allowing remote access to the infected system via backdoor accounts.
According to ASEC, Mauri ransomware, publicly available source code, is being exploited by threat actors like Mimo to launch attacks. While no confirmed attacks have been reported, the potential for misuse exists due to the accessibility of the code.
It is potentially still in the testing phase and is configured for live attacks, as evidenced by altered wallet, Telegram, and encryption settings, despite using a localhost C&C server and a custom server program.
Vulnerable Apache ActiveMQ versions are being exploited by threat actors to install cryptocurrency miners or malware, potentially leading to data theft and ransomware attacks. System administrators must promptly patch their ActiveMQ services to mitigate these risks.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Next.js Cache Poisoning Flaw Triggers Denial of Service Attacks")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Severe Hikvision applyCT Flaw Allows Remote Code Execution on Devices")
