Malware operator Kinsing is actively exploiting the critical CVE-2023-46604 vulnerability in the open source Apache ActiveMQ message broker to compromise Linux systems.
The flaw allows remote code execution and was fixed at the end of October. The Apache disclosure explains that the issue allows arbitrary shell commands to be executed exploiting serialized class types in the OpenWire protocol.
Researchers found that thousands of servers remained exposed to attacks after the patch was released, and ransomware gangs like HelloKitty and TellYouThePass began taking advantage of the opportunity.
Kinsing ActiveMQ target
Today, a report from TrendMicro notes that Kinsing is added to the list of malicious actors exploiting CVE-2023-46604, their aim being to deploy cryptocurrency miners on vulnerable servers.
Kinsing malware targets Linux systems and its operator is known to exploit known vulnerabilities that are often overlooked by system administrators. Previously, they relied on Log4Shell and an Atlassian Confluence RCE bug for their attacks.
“Currently, there are public exploits that leverage the ProcessBuilder method to execute commands on affected systems,” the researchers explain.
“In the context of Kinsing, CVE-2023-46604 is exploited to download and execute cryptocurrency miners and Kinsing malware on a vulnerable system” – Trend Micro
The malware uses the “ProcessBuilder” method to execute malicious bash scripts and download additional payloads to the infected device from newly created system-level processes.
The advantage of this method is that it allows the malware to execute complex commands and scripts with a high degree of control and flexibility while evading detection.
Before launching the crypto mining tool, Kinsing checks the machine for competing Monero miners by removing all associated processes, crontabs, and active network connections.
After that, it establishes persistence via a cron job that fetches the latest version of its infection script (bootstrap) and also adds a rootkit in “/etc/ld.so.preload”.
The /etc directory on Linux systems typically hosts system configuration files, executables for starting the system, and some log files, so the libraries in this location load before a program’s process starts.
In this case, adding a rootkit ensures that its code runs on every process started on the system while remaining relatively hidden and difficult to remove.
As the number of threat actors exploiting CVE-2023-46604 increases, organizations across multiple industries remain at risk if they do not patch the vulnerability or check for signs of compromise.
To mitigate the threat, system administrators are recommended to upgrade Apache Active MQ to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which resolve the security issue.
Gn En tech