Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

November 21, 2023 at 05:12AM

Kinsing threat actors are using a critical security flaw in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. The malware deploys a cryptocurrency mining script that utilizes the host’s resources, causing damage to infrastructure and system performance. The group adapts to new vulnerabilities and targets misconfigured containerized environments. Organizations should update to a patched version of Apache ActiveMQ to mitigate threats.

Key Takeaways:

1. The Kinsing threat actors are targeting vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits.
2. Once infected, Kinsing deploys a cryptocurrency mining script that utilizes the host’s resources for mining, resulting in infrastructure damage and system performance issues.
3. Kinsing has a history of targeting misconfigured containerized environments for cryptocurrency mining and adapts its tactics to exploit newly disclosed flaws in web applications.
4. The latest campaign exploits CVE-2023-46604, a critical vulnerability in Apache ActiveMQ that allows remote code execution and enables the download and installation of the Kinsing malware.
5. Kinsing further ensures persistence and compromise by loading its rootkit in /etc/ld.so.preload, completing a full system compromise.
6. Organizations running affected versions of Apache ActiveMQ are advised to update to a patched version promptly to mitigate potential threats.

Full Article