Headline
Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw
By Deeba Ahmed Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems. This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw
Active since 2020, the resurgence of the Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks.
Cybersecurity researchers at Trend Micro have identified cybercriminals exploiting a critical vulnerability in Apache ActiveMQ (CVE-2023-46604) to infect Linux systems with the Kinsing malware (also known as h2miner). This vulnerability enables attackers to execute arbitrary code on affected systems, installing cryptocurrency miners and rootkits.
****What is Kinsing Malware?****
The Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks. It exploits vulnerabilities in web applications or misconfigured container environments to gain access, specifically targeting Linux systems. Its primary objectives include cryptocurrency mining, such as Bitcoin, and establishing persistence on the infected host.
Interestingly, the malware detects and eradicates competing cryptocurrency miners, targeting processes, active network connections, and crontabs that exploit vulnerabilities like WebLogic or Log4Shell. This strategic approach allows the malware to gain complete control of the system’s resources.
Furthermore, it ensures persistence by adding a cronjob to download and execute its malicious bootstrap script every minute, ensuring the latest malicious Kinsing binary is consistently available on the infected host.
“Kinsing doubles down on its persistence and compromise by loading its rootkit in /etc/ld.so.preload, which completes a full system compromise,” researchers noted.
Recently, attackers using Kinsing malware have utilized high-profile vulnerabilities like CVE-2023-4911 (Looney Tunables).
Image: Trend Micro
****About the Vulnerability****
Since early November 2023, Trend Micro researchers observed that CVE-2023-46604 is being exploited. It is a critical severity vulnerability assigned a CVSS score of 9.8. The vulnerability stems from OpenWire commands failing to validate throwable class type, thus enabling RCE.
“When the marshaller fails to validate the class type of a Throwable, it inadvertently allows the creation and execution of instances of any class. This opens the door to remote code execution (RCE) vulnerabilities, enabling attackers to execute arbitrary code on the affected server or application,” Trend Micro researchers explained in a blog post.
Apache ActiveMQ is a popular open-source message and integration platform written in Java. It implements message-oriented middleware (MOM) and facilitates communication between different applications. It offers different features, including OpenWire, STOMP, and Jakarta Messaging (JMS). OpenWire is a binary protocol designed for MOM and serves as the native wire format for ActiveMQ. It offers several benefits, such as bandwidth efficiency and support for various message types.
****How Does the Attack Work?****
The Kinsing malware exploits the CVE-2023-46604 vulnerability discovered in Apache ActiveMQ, which enables remote code execution (RCE). The vulnerability allows attackers to execute arbitrary code on the impacted system. After gaining access to the vulnerable server and executing the Kinsing binary, it becomes possible to install rootkits and cryptominers, steal sensitive data, disrupt operations, and install malware.
****Impacted versions****
Apache ActiveMQ versions 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, and 5.16.0 before 5.16.5 are vulnerable to this attack. Apache ActiveMQ has released patches for all affected versions. Users are advised to update their ActiveMQ installations as soon as possible. In addition, keep OpenWire disabled if not required, restrict access to ActiveMQ management interfaces and isolate ActiveMQ deployments through network segmentation to stay protected.
Ken Dunham, Director of Cyber Threat at Foster City, Calif.-based Qualys, a disruptive cloud-based IT, security and compliance solutions provider, shared with Hackread.com that there’s a dire need for proper configuration of the cloud platform.
“The main takeaway I get here is around how the cloud is rarely configured properly and malware is exploiting that. We don’t want to allow malware like this to be proof of poor configurations and lack of security in our systems, especially around lateral movement tools, tactics and procedures (TTPs) used by the group.”
Dunham noted that Kinsing has been a significant threat since 2020.
“Kinsing has successfully preyed upon poorly authenticated and configured cloud Docker containers dating back to 2020, then performing lateral movement attempts leveraging brute force attacks,“ Dunham explained.
Irfan Asrar, Director, of Malware and Threat Research at Qualys, told Hackread.com that researchers have discovered a major gap in the cloud.
“This discovery highlights a major gap in the cloud not commonly defended against; most web apps/cloud infrastructure are not scanning for malware in their cloud infrastructure, mostly just attempting to screen web traffic, which allows the Kinsing malware to take advantage and gain persistency. I see this gap being taken advantage of in the future by other groups.”
****RELATED ARTICLES****
- Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer
- Microsoft Azure Exploited to Create Undetectable Cryptominer
- Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool
- Golang malware infecting Windows, Linux servers with XMRig miner
- Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps
Related news
Ubuntu Security Notice 6910-1 - Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker could possibly use this issue to terminate the program, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. Peter Stoeckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS.
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.
OX App Suite version 7.10.6 suffers from cross site scripting and deserialization vulnerabilities.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Red Hat Security Advisory 2024-0033-03 - An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution. The list of vulnerabilities is below - CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products CVE-2023-22522 (CVSS score
By Deeba Ahmed The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it. This is a post from HackRead.com Read the original post: Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat
The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The findings come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign.
The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative
Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6,
This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R) ransomware. Both vulnerabilities are critical, allowing threat
A remote code execution vulnerability in Apache ActiveMQ is being used by the HelloKItty ransomware group.
The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. "Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7 disclosed in a
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.
Red Hat Security Advisory 2023-5476-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow and privilege escalation vulnerabilities.
Red Hat Security Advisory 2023-5455-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow, privilege escalation, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-5453-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow, privilege escalation, and use-after-free vulnerabilities.
Gentoo Linux Security Advisory 202310-3 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.37-r7 are affected.
Ubuntu Security Notice 6409-1 - It was discovered that the GNU C Library incorrectly handled the GLIBC_TUNABLES environment variable. An attacker could possibly use this issue to perform a privilege escalation attack. It was discovered that the GNU C Library incorrectly handled certain DNS responses when the system was configured in no-aaaa mode. A remote attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04.
Debian Linux Security Advisory 5514-1 - The Qualys Research Labs discovered a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. An attacker can exploit this flaw for privilege escalation.
A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library's ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges. Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader's processing of the GLIBC_TUNABLES
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.