What is the Attack?
Ransomware attackers are targeting servers running outdated and vulnerable versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604). CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector. Successful exploitation allows an attacker to execute arbitrary code with the same privileges of the ActiveMQ server.
What is the Vendor Solution?
Apache has released the patches to address CVE-2023-46604 and can be found here.
What FortiGuard Coverage is available?
FortiGuard Labs has released an Endpoint Vulnerability Signature “Apache ActiveMQ CVE-2023-46604 Remote Code Execution Vulnerability” to detect any vulnerable systems on customers network and is currently investigating an IPS protection for the CVE-2023-46604 and will update once available.
If you are unable to patch the Apache ActiveMQ systems, you should immediately block the systems from being accessible from the Internet, which will limit the attack surface.