Cyber-criminal gangs are mirroring the practices of legitimate businesses to drive efficiencies and increase profits
Related Posts
Hackers Infect Linux Machines with Rootkits via Apache ActiveMQ Vulnerability
Hackers Infect Linux Machines with Rootkits via Apache ActiveMQ Vulnerability
Apache ActiveMQ is a Java-based open-source protocol that allows distributed applications to exchange messages.
It uses the JMS API to provide a dependable messaging platform for sharing data across systems written in diverse programming languages.
It includes the following features:-
STOMP
Jakarta Messaging (JMS)
OpenWire
Trend Micro researchers recently revealed that the Apache ActiveMQ vulnerability (CVE-2023-46604) was actively exploited for Kinsing malware infection on Linux systems. The vulnerability causes RCE due to unvalidated throwable class type in OpenWire commands.
Document
Free Webinar
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Hackers Infect Linux Machines
Kinsing malware rapidly spreads across a network by infiltrating servers, and it primarily targets Linux systems by exploiting vulnerable web apps or containers that are misconfigured.
Besides this, Kinsing actors exploit CVE-2023-4911 (Looney Tunables) to deploy cryptocurrency-mining scripts, damaging infrastructure and causing performance decline on infected systems.
Moreover, this protocol is suited for high-performance communications, which is critical in businesses. The existence of the validateIsThrowable function in the BaseDataStreamMarshall class is revealed by patch differences.
Failure to check the Throwable class type in the marshaller might result in unexpected class formation and execution, creating RCE vulnerabilities.
It is critical to provide continual validation of the Throwable class type in order to avoid any security issues.
November saw active exploitation reports, particularly of CVE-2023-46604, by threat actors, including HelloKitty ransomware. Low overall detections were noted despite a high CVSS score of 9.8, with proof-of-concept exploits like-
Metasploit
Nuclei
Using the ProcessBuilder method, the Kinsing malware exploits “CVE-2023-46604” then downloads the cryptocurrency miners and malware.
Then, for a full system compromise, it actively hunts and eliminates rival miners, ensuring persistence through cronjobs and rootkit in /etc/ld.so.preload.
Flaw profile
CVE ID: CVE-2023-46604
Description: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
Base Score: 9.8
Severity: Critical
NVD Published Date: 10/27/2023
NVD Last Modified: 11/20/2023
Source: Apache Software Foundation
Affected ActiveMQ versions
Here below we have mentioned all the affected ActiveMQ versions:-
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
The widespread exploitation of CVE-2023-46604, notably by Kinsing malware, poses a significant global security risk.
That’s why urgent action is needed for Apache ActiveMQ users to patch and mitigate Kinsing threats. As mitigations and for a robust cybersecurity strategy, researchers recommended:-
Regular patching
Configuration audits
Network monitoring
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post Hackers Infect Linux Machines with Rootkits via Apache ActiveMQ Vulnerability appeared first on Cyber Security News.
Cyber Security News
Apple blames Spotify for $1.95 billion fine over “abusive” App store rules
Apple blames Spotify for $1.95 billion fine over “abusive” App store rules
The European Commission has fined Apple €1.8 billion, or approximately $1.95 million, for allegedly abusing its market dominance in music streaming app distribution to prevent developers from promoting cheaper services outside the app. […] Read More
BleepingComputer