Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass

There's no time to waste: For organizations on the fence about patching the critical bug in ActiveMQ, the new proof-of-concept exploit should push them towards action.

Drugstore aisle with boxes of Band-Aids
Source: Kristoffer Tripplaar via Alamy Stock Photo

A fresh proof-of-concept (PoC) exploit for a critical security vulnerability in Apache ActiveMQ is making it easier than ever to achieve remote code execution (RCE) on servers running the open source message broker — avoiding notice while doing so.

The max-severity bug (CVE-2023-46604, CVSS score of 10) allows unauthenticated threat actors to run arbitrary shell commands, and it was patched by Apache late last month. Nonetheless, thousands of organizations remain vulnerable, a state of affairs that the HelloKitty ransomware gang and others have taken full advantage of.

While attacks have so far relied on a public PoC released shortly after the flaw's disclosure, researchers at VulnCheck said this week that they've engineered a more elegant exploit — one that cuts down on intruder noise by launching attacks from memory.

"That means the threat actors could have avoided dropping their tools to disk," according to VulnCheck's post detailing the new ActiveMQ exploit. "They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory-resident, perhaps avoiding detection from … managed [endpoint detection and response] EDR teams."

New ActiveMQ Exploit: Enabling a Silent Stalker

While attackers would need to delete any incriminating log messages in the activemq.log to fully cover their tracks, the VulnCheck PoC is still a significant improvement when it comes to making any attacks against the vulnerability stealthier, according to Matt Kiely, principal security researcher at Huntress.

"The proof of concept from VulnCheck is a marked evolution from the previous public PoCs, which generally relied on using the shell of the exploited system to execute code," he says, adding that the Huntress team confirmed that the new technique indeed works as advertised.

Further, "this specific attack is trivial to exploit if an attacker can access the vulnerable instance of ActiveMQ," he says, adding that more evolutions and improvements in exploit development are sure to come.

Thus, admins should be patching CVE-2023-46604 immediately, or removing the servers from the Internet. It's also important to be aware that the risk from an attack stretches well beyond ransomware, Kiely adds.

"Potential results of exploitation [include] techniques like account access removal, data destruction, defacement, resource hijacking, and many others," he explains. "Attackers may even elect to do nothing at all and simply wait on an exploited server to stage further attacks" — something, it should be noted, that the silent VulnCheck PoC can more easily enable.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights