The Andariel threat group has been discovered installing malware via the exploitation of the Apache ActiveMQ remote code execution vulnerability classified as CVE-2023-46604.
The group is known to be either a subsidiary of Lazarus or in an active partnership with the Lazarus threat group. It primarily targets South Korean institutions and enterprises, which were initially detected in 2008.
Their primary targets are national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms.
Andariel Group Exploiting Apache ActiveMQ Vulnerability
A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.
A threat actor can remotely execute malicious commands and take over a system if an unpatched Apache ActiveMQ server is exposed externally.
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
“The Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors,” AhnLab Security Emergency Response Center (ASEC) said in a report shared with Cyber Security News.
NukeSped, a backdoor that the group has previously used, is found to be installed in a certain system. The malware can take control of the infected system by sending commands to the C&C server. The Lazarus and Andariel groups typically use this to take control of compromised systems.
Only three commands are supported by the NukeSped version that was utilized in the most recent attacks: downloading files, executing commands, and terminating running processes.
“During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages,” researchers said.
Similar to normal NukeSped backdoors, auto-deletion is carried out via a batch file when an improper connection to the C&C server is made.
In addition to these well-known attacks, the Stager installation logs for CobaltStrike and Metasploit Meterpreter were discovered.
Because of this, researchers claim that even though the CVE-2023-46604 vulnerability has only recently come to light, unpatched systems are already the focus of multiple attacks in a short amount of time.
Recommendation
Users must be cautious when opening email attachments and downloading executable files from unidentified sources. Corporate security staff should improve asset management software and install updates if any security holes exist.
For added protection against malware infections, users should upgrade V3 to the most recent version and apply the most recent patches for their operating systems and applications, including web browsers.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.