Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto

  /     /     /  
Publicated : 23/11/2024   Category : security


Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto


Active exploit of the critical RCE flaw targets Linux systems to achieve full system compromise.



The attackers behind the Kinsing malware are the latest to exploit the
Apache ActiveMQ
critical remote code execution (RCE) vulnerability, targeting the flaw to infect vulnerable Linux systems with a cryptocurrency miner.
Researchers from TrendMicro detected attackers exploiting the flaw — tracked as
CVE-2023-46604
— to mine cryptocurrency, thus draining the resources from infected Linux systems. ActiveMQ is an open source protocol developed by the Apache Software Foundation (ASF) that implements message-oriented middleware (MOM).
Once
Kinsing
infects a system, it deploys a cryptocurrency-mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance, TrendMicro researcher Peter Girnus wrote in
a post
published late Nov. 20.
The researchers also shed new light on the root cause of the vulnerability, which affects multiple versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. The flaw allows a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems.
ActiveMQ, written in Java, is an open-source protocol developed by Apache that implements message-oriented middleware (MOM). Its main function is to send messages between different applications, but it also includes additional features like STOMP, Jakarta Messaging (JMS), and OpenWire.
ASF first discovered the flaw on Oct. 27, and
proof-of-concept exploit code
soon followed. Though the foundation moved quickly to patch CVE-2023-46604, threat actors have wasted little time pouncing on the myriad systems that remain vulnerable.
One of those threat groups, Kinsing, is already well-known for taking advantage of high-profile flaws to target Linux systems to mine cryptocurrency and commit other nefarious activity, according to Trend Micro.
Previous Kinsing campaigns include
exploiting the Looney Tunables
bug to steal secrets and data from Linux systems, and exploiting vulnerable images and weakly configured PostgreSQL containers
in Kubernetes clusters
to gain initial access to systems.
In its attack on ActiveMQ, the group uses public exploits that leverage the ProcessBuilder method to execute commands on affected systems to download and execute Kinsing cryptocurrency miners and malware on a vulnerable system, according to TrendMicro.
Kinsings attack strategy is unique in that once it infects a system, it actively looks for competing crypto miners — such as those tied to Monero or ones that exploit Log4Shell and WebLogic vulnerabilities, Girnus noted.
It then proceeds to kill their processes and network connections, he wrote. Furthermore, Kinsing removes competing malware and miners from the infected hosts crontab.
Once this is done, the Kinsing binary is then assigned a Linux environment variable and executed, after which Kinsing adds a cronjob to download and execute its malicious bootstrap script every minute. This ensures persistence on the affected host and also ensures that the latest malicious Kinsing binary is available on affected hosts, Girnus wrote.
In fact, Kinsing doubles down on its persistence and compromise by loading its rootkit in
/etc/ld.so.preload
, which completes a full system compromise, he added.
In their investigation, TrendMicro compared the patch to systems vulnerable to the flaw and found that its root cause is an issue pertaining to the validation of throwable class types when
OpenWire commands
are unmarshalled, according to the post.
OpenWire is a binary protocol specifically designed for working with MOM to serve as the native wire format of ActiveMQ, a widely used open source messaging and integration platform. Its a preferred format due to its efficient use of bandwidth and its ability to support a wide range of message types.
The issue at the heart of the flaw is that
validateIsThrowable method
has been included in the
BaseDataStreamMarshall class
, which fails to validate the class type of a Throwable, or an object that represents exceptions and errors in Java. This can accidentally create and execute instances of any class, resulting in RCE vulnerabilities, Girnus said.
Therefore, it is essential to ensure that the class type of a Throwable is always validated to prevent potential security risks, he wrote.
TrendMicro researchers, like other security experts, urged organizations using Apache ActiveMQ to take immediate action to patch the flaw, as well as mitigate any other risks associated with Kinsing.
Given the malwares ability to spread across networks and exploit multiple vulnerabilities, it is important to maintain up-to-date security patches, regularly audit configurations, and monitor network traffic for unusual activity, all of which are critical components of a comprehensive cybersecurity strategy, Girnus wrote.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto