“TellYouThePass” Ransomware Exploits Apache ActiveMQ Vulnerability in Recent Surge

The latest cyber threat involves the TellYouThePass ransomware, which has now set its sights on Internet-exposed Apache ActiveMQ servers. These servers are under attack due to a critical remote code execution (RCE) vulnerability, previously exploited as a zero-day, identified as CVE-2023-46604.

This flaw, with a maximum severity rating, allows unauthenticated attackers to execute arbitrary shell commands on vulnerable servers. Although Apache promptly released security updates on October 27 to address the vulnerability, cybersecurity firms ArcticWolf and Huntress Labs discovered ongoing exploitation.

Threat actors have been taking advantage of the zero-day vulnerability for over two weeks, deploying SparkRAT malware since at least October 10. As per ShadowServer’s threat monitoring service, over 9,200 Apache ActiveMQ servers are currently exposed online, with more than 4,770 susceptible to CVE-2023-46604 exploits.

Given the critical role of Apache ActiveMQ as a message broker in enterprise environments, immediate action is recommended. Administrators are urged to patch all vulnerable systems promptly by upgrading to ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

One week after Apache’s patch release, cybersecurity firms observed attackers leveraging the vulnerability to deploy HelloKitty ransomware payloads. The attacks, commencing on October 27, demonstrated a swift adaptation by threat actors.

In a report, Arctic Wolf Labs disclosed that the same CVE-2023-46604 flaw is being actively exploited for initial access in attacks targeting Linux systems, facilitating the deployment of TellYouThePass ransomware.

Remarkably, parallels were identified between the HelloKitty and TellYouThePass attacks, encompassing shared email addresses, infrastructure, and bitcoin wallet addresses. Researchers emphasized the urgency of rapid remediation for this vulnerability, given the diverse objectives of threat actors exploiting CVE-2023-46604 in the wild.

Notably, TellYouThePass ransomware witnessed a significant and sudden surge in activity following the release of Log4Shell proof-of-concept exploits two years ago. In its return as a Golang-compiled malware in December 2021, the ransomware strain expanded its capabilities to target multiple platforms, including Linux and macOS systems (though macOS samples have yet to be identified in the wild).

To prevent such exploits, immediate remediation of the CVE-2023-46604 vulnerability is crucial. Additionally, vigilance in monitoring and securing systems against emerging threats is paramount. As an added layer of defense, organizations are recommended to consider deploying advanced cybersecurity solutions, such as Protergo’s suite, to bolster their defenses against evolving cyber threats. Protergo cybersecurity solutions provide comprehensive protection, helping safeguard against ransomware, malware, and other malicious activities.