Media Coverage

Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity bug in the ActiveMQ scalable open-source message broker that enables unauthenticated attackers to execute arbitrary shell commands on vulnerable servers. According to data from the threat monitoring service ShadowServer, there are currently more than 9,200 Apache ActiveMQ servers exposed online, with over 4,770 vulnerable to CVE-2023-46604 exploits.

Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims’ files using Cerber ransomware. Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software. According to data from threat monitoring service ShadowServer, there are currently more than 24,000 Confluence instances exposed online, although there’s no way to tell how many are vulnerable to CVE-2023-22518 attacks.

Zero-day bugs affecting products from Citrix and Apache have recently been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerability (KEV) list. A vulnerability dubbed ‘Citrix Bleed’ is being exploited in attacks on government organizations as well as companies in the professional services and technology industries. The vulnerability allows hackers to gain access to sensitive information, according to a security bulletin from Citrix. The research tool ShadowServer shows that thousands of instances where the tool is used are still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone.

Proof of concept (PoC) exploit code for a critical vulnerability that Atlassian disclosed in its Confluence Data Center and Server technology has become publicly available, heightening the need for organizations using the collaboration platform to immediately apply the company’s fix for it. ShadowServer, which monitors the Internet for malicious activity, on Nov. 3 reported that it observed attempts to exploit the Atlassian vulnerability from at least 36 unique IP addresses over the last 24 hours. ShadowServer described the increasing exploit activity as involving attempts to upload files and set up or to restore vulnerable Internet accessible Confluence instances. “We see around 24K exposed (not necessarily vulnerable),” Atlassian Confluence instances ShadowServer said.

A recently patched vulnerability affecting the Apache ActiveMQ message broker is being exploited by cybercriminals in an apparent attempt to deliver ransomware.  Apache ActiveMQ is described as the “most popular open source, multi-protocol, Java-based message broker”. Several 5.x.x versions of the product, as well as the Apache ActiveMQ Legacy OpenWire Module, are affected by CVE-2023-46604, a security hole that can be exploited for remote code execution. On October 30, the Shadowserver Foundation reported seeing over 7,000 internet-exposed ActiveMQ instances, including roughly 3,300 that had been vulnerable to attacks exploiting CVE-2023-46604.

Researchers have reported suspected exploitation activity related to a recently disclosed security vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604. This vulnerability, with a maximum CVSS score of 10.0, can potentially lead to remote code execution (RCE) attacks.CVE-2023-46604 allows remote attackers with network access to a broker to execute arbitrary shell commands. This is achieved by exploiting serialized class types within the OpenWire protocol, which, in turn, leads to the broker instantiating any class available on the classpath. Shadowserver has identified 7,249 servers with accessible ActiveMQ services. Among them, 3,329 servers were running a version vulnerable to CVE-2023-46604.

The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots. Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it’s known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access.

Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability.The flaw in question is CVE-2023-46604, a critical severity (CVSS v3 score: 10.0) RCE allowing attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol. Researchers from threat monitoring service ShadowServer found 7,249 servers accessible with ActiveMQ services. Of those, 3,329 were found to run an ActiveMQ version vulnerable to CVE-2023-46604, with all of these servers vulnerable to remote code execution.

Citrix Bleed, the critical information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now under “mass exploitation,” as thousands of Citrix NetScaler instances remain vulnerable, according to security teams.

As of October 30, Shadowserver spotted just over 5,000 vulnerable servers on the public internet. And in the past week, GreyNoise observed 137 individual IP addresses attempting to exploit this Citrix vulnerability. The vulnerability allows attackers to access a device’s memory, and in that RAM find session tokens that miscreants can then extract and use to impersonate an authenticated user. Thus even if the hole is patched, copied tokens will remain valid unless further steps are taken.

On August 29, 2023, the U.S. Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) teamed up with France, Germany, the Netherlands, Romania, and Latvia to launch a multinational operation to dismantle the Qakbot malware botnet (Operation Duck Hunt). According to a report published by the non-profit organization The Shadowserver Foundation on devices infected with Qakbot from July 2019 to August 2023, approximately 40,000 devices were confirmed in Japan .