Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604)

Tags

External References

• https://asec.ahnlab.com/
• https://otx.alienvault.com/

Description

Threat actors are exploiting the CVE-2023-46604 vulnerability in Apache ActiveMQ to attack Korean systems, particularly using Mauri ransomware. The vulnerability allows remote code execution on unpatched servers. Attackers use XML configuration files to add backdoor accounts, install remote access tools like Quasar RAT, and set up proxies using Frpc. The Mauri ransomware, based on open-source code, is found on the attacker's server with customized configurations. While primarily targeting cryptocurrency mining, some cases involve system control and potential data theft. System administrators are urged to patch vulnerable Apache ActiveMQ versions and implement security measures to prevent attacks.

Date