The AhnLab Security Intelligence Response Center (ASEC) has reported a surge in malicious activity exploiting a critical vulnerability in Apache ActiveMQ to deploy Mauri ransomware.
The vulnerability (CVE-2023-46604) enables attackers to execute arbitrary commands on unpatched servers. The vulnerability stems from insecure input validation when processing serialized data in the OpenWire protocol. It allows a remote attacker to pass specially crafted data to the application and execute arbitrary code on the target system.
ASEC’s investigation revealed that several threat actors, including the operators of Andariel, HelloKitty ransomware, and now Mauri ransomware, are exploiting CVE-2023-46604.
Beyond ransomware deployment, attackers have been observed installing malicious tools like CoinMiners, AnyDesk, and the z0Miner malware on compromised servers.
In the case of Mauri ransomware attacks, the infection begins with the exploitation of CVE-2023-46604. Once attackers gain access, they install the ransomware, which encrypts files using AES-256 CTR encryption. Victims’ files are appended with the .locked extension, and ransom notes labeled “READ_TO_DECRYPT.html” or “FILES_ENCRYPTED.html” are left behind.
Although the source code of Mauri ransomware is publicly available for research purposes, attackers have customized it for their campaigns.
Threat actors leveraging the Apache bug employ multiple techniques to maintain long-term access and control over infected systems, including backdoor accounts, Remote Access Trojans (RATs) such as Quasar RAT and proxy like Fast Reverse Proxy (FRP)that are used to expose compromised systems hidden behind NAT or firewalls, enabling remote connections to RDP services.
That being said, system administrators are recommended to make sure that their current Apache ActiveMQ service is fully patched to prevent attacks that exploit known security flaws.