A report of TrendMicro revealed how a malware known as Kinsingis exploiting a critical vulnerability in the messaging broker Apache ActiveMQ.
The latter’s open source client, in fact, presented an exploit cataloged as CVE-2023-46604 and actively exploited by some cybercriminals to take control of system Linux.
The vulnerability was patched at the end of October but, taking advantage of the absence of patch On many systems, the operators behind Kinsing still have thousands of servers available that are still not protected by the update. The flaw, in effect, allows attackers to execute arbitrary shell commands in total freedom.
According to data collected by experts, the main objective of this malicious agent falls within the context of a massive operation cryptojacking.
Apache ActiveMQ RCE and Kinsing: how to protect and avoid disasters
The malware in question uses the method ProcessBuilder to execute malicious bash scripts and download payload additional files on the infected device. The advantage of this technique is that it allows Kinsing to execute complex commands and scripts, with a high degree of control and flexibility, while at the same time avoiding detection by any analysis tools.
Before launching it mining toolHowever, the malware performs a scan on the infected device to check for any presence of “competition” that is already active. In fact, if miners are present and active, Kinsing closes all their processes in order to take advantage of all available hardware resources.
The next step involves anchoring to the compromised system, in order to guarantee the persistence of its processes. To do this, it fetches the latest version of its infection script and also adds a rootkit in “/etc/ld.so.preload“.
This modus operandi of Kinsing is not that surprising: the malware in question, in fact, is known to be used to attack neglected servers without updates.
Precisely for this reason, system administrators are advised to update the versions as soon as possible 5.15.16, 5.16.7, 5.17.6 o 5.18.3 of Apache Active MQ. This is enough to avoid, at least for the moment, any type of contact with the malware.