Threat actors actively targeted the Apache ActiveMQ vulnerability to get unauthorized access to messaging systems, leading to potential data breaches and system compromise.
Meanwhile, the Apache ActiveMQ vulnerability, which was tracked as “CVE-2023-46604,” can be exploited to disrupt communication, cause service outages, and deploy ransomware (HelloKitty) as well.
Cybersecurity researchers at Sekoia recently identified that the Kinsing Malware actively exploited this Apache ActiveMQ vulnerability (CVE-2023-46604) to attack the Linux server.
Apache ActiveMQ Vulnerability Exploited
This vulnerability was disclosed on October 27, 2023; it’s a severe OpenWire module vulnerability with a critical CVSS3 score of 9.8. This flaw allows unauthenticated attackers to execute code.
The flaw, rooted in deserialization validation lapses, particularly impacts ExceptionResponseMarshaller. Attackers can exploit it by creating a weaponized throwable class.
ClassPathXmlApplicationContext can be manipulated through a weaponized XML file, granting code execution. Metasploit and similar PoCs leverage this flaw.
Patches were released on October 28, 2023, urging updates to the following versions:-
- 5.15.16
- 5.16.7
- 5.17.6
- 5.18.3
If updating isn’t feasible, then make sure to block the OpenWire access from the Internet, as this will mitigate the risk.
Researchers deployed honeypots globally using ActiveMQ v5.17.5. Monitored host with Sekoia Linux agent and Suricata IDS.
Honeypots were active since 9 Nov 2023, and the first Kinsing intrusion was tracked on 11 Nov. Daily 2-3 Kinsing intrusions were recorded since 12 Nov, and the attacks were executed from the following two IP addresses:-
- 109.237.96[.]124
- 78.153.140[.]30
Actions Performed by Kinsing Malware
Here below, we have mentioned all the actions that are performed by the Kinsing malware:-
- Rootkit
- Remove competitors
- Download and execute
- Establish persistence
- Remove firewall rules
- Deletes competitors
- Sets up a crontab
Kinsing malware characteristics
Here below, we have mentioned all the characteristics of the Kinsing malware:-
- SHA256 hash: 787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
- Size: 5.69 MBytes
- File: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
- Compiler: Go1.17.13
Functions
The malware code contains over 60 functions, and below we have mentioned a few of them:-
- getActiveC2Url
- POST on /mu
- POST on /ki
- GET on /get
- massscan
- redisBrute
The cryptominer that is deployed is XMRig, and the UPX-packed with config details. Decompressed, it reveals a Monero wallet (46V5WXwS3gXfsgR7fgXeGP4KAXtQTXJfkicBoRSHXwGbhVzj1JXZRJRhbMrvhxvXvgbJuyV3GGWzD6JvVMuQwAXxLZmTWkb) and nanopool.org URL.
However, this wallet has been inactive since Nov 2019. The CTI Reports link this wallet to Kinsing, but it’s.
The numerous breaches highlight how important it is to apply security updates quickly and maintain strict control over weak points, particularly in dockerized services.