10 December 2024

Threat actors exploiting Apache ActiveMQ flaw to deploy Mauri ransomware


Threat actors exploiting Apache ActiveMQ flaw to deploy Mauri ransomware

The AhnLab Security Intelligence Response Center (ASEC) has reported a surge in malicious activity exploiting a critical vulnerability in Apache ActiveMQ to deploy Mauri ransomware.

The vulnerability (CVE-2023-46604) enables attackers to execute arbitrary commands on unpatched servers. The vulnerability stems from insecure input validation when processing serialized data in the OpenWire protocol. It allows a remote attacker to pass specially crafted data to the application and execute arbitrary code on the target system.

ASEC’s investigation revealed that several threat actors, including the operators of Andariel, HelloKitty ransomware, and now Mauri ransomware, are exploiting CVE-2023-46604.

Beyond ransomware deployment, attackers have been observed installing malicious tools like CoinMiners, AnyDesk, and the z0Miner malware on compromised servers.

In the case of Mauri ransomware attacks, the infection begins with the exploitation of CVE-2023-46604. Once attackers gain access, they install the ransomware, which encrypts files using AES-256 CTR encryption. Victims’ files are appended with the .locked extension, and ransom notes labeled “READ_TO_DECRYPT.html” or “FILES_ENCRYPTED.html” are left behind.

Although the source code of Mauri ransomware is publicly available for research purposes, attackers have customized it for their campaigns.

Threat actors leveraging the Apache bug employ multiple techniques to maintain long-term access and control over infected systems, including backdoor accounts, Remote Access Trojans (RATs) such as Quasar RAT and proxy like Fast Reverse Proxy (FRP)that are used to expose compromised systems hidden behind NAT or firewalls, enabling remote connections to RDP services.

That being said, system administrators are recommended to make sure that their current Apache ActiveMQ service is fully patched to prevent attacks that exploit known security flaws.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025