![Largest Data Breaches in US History [Updated for 2023]](https://nulld3v.com/uploads/images/202311/image_430x256_654e69df8d469.jpg)
Dangerous Apache ActiveMQ Exploit Enables Stealthy EDR Bypass
Organizations that are uncertain about fixing the critical bug in ActiveMQ should not procrastinate any further. The newly unveiled proof-of-concept exploit should be the catalyst for them to take action.
A new proof-of-concept (PoC) exploit for a high-severity vulnerability in Apache ActiveMQ is simplifying remote code execution (RCE) attacks on systems using this open-source message broker, while remaining undetected.
This critical flaw, identified as CVE-2023-46604 and carrying a maximum CVSS score of 10, allows unauthenticated attackers to execute arbitrary shell commands. Despite Apache releasing a patch last month, many organizations are yet to update, leaving them exposed to exploitation by groups like HelloKitty ransomware.
Initially, attackers leveraged a publicly available PoC released soon after the vulnerability was disclosed. However, researchers at VulnCheck have now developed a more sophisticated exploit. This new method executes attacks directly from memory, significantly reducing the 'noise' typically associated with such intrusions.
"This approach means attackers can operate without writing their tools to the disk, potentially executing their encryptor using Nashorn or loading a class/JAR into memory, staying under the radar of detection from EDR (Endpoint Detection and Response) teams," the VulnCheck team explained in their analysis of the exploit.
**Implications of the New ActiveMQ Exploit**
The VulnCheck PoC represents a major step forward in stealthiness for attacks exploiting this vulnerability. According to Matt Kiely, a principal security researcher at Huntress, while attackers still need to erase traces from the activemq.log to completely avoid detection, this PoC is a substantial enhancement in making attacks less noticeable.
"The new technique validated by the Huntress team is a significant departure from earlier public PoCs, which typically relied on the system's shell to execute code," Kiely said. He warned that this kind of attack is simple to execute if attackers can access the vulnerable ActiveMQ instance, and we can expect further developments in exploit techniques.
Administrators are urged to promptly patch CVE-2023-46604 or disconnect the affected servers from the Internet. Kiely emphasizes that the risks of exploitation go far beyond ransomware, potentially including actions like account access removal, data destruction, defacement, resource hijacking, and more. Attackers might even choose to lay dormant on a compromised server, staging future attacks — a strategy that the more discreet VulnCheck PoC would facilitate more effectively.
