Hackers are currently targeting a critical Apache ActiveMQ vulnerability to download and infect Linux machines with the Kinsing malware and crypto miner.
In a blog post published on November 20, Trend Micro researchers reported that the exploitation of the CVE-2023-46604 vulnerability in the open-source ActiveMQ protocol results in remote code execution (RCE), which allows Kinsing to carry out the download and installation of malware.
Following a system infection, Kinsing deploys a cryptocurrency-mining script that exploits the host’s resources to mine cryptocurrencies such as Bitcoin. This not only leads to substantial damage to infrastructure but also adversely affects system performance.
The Kinsing malware poses a significant threat, focusing primarily on Linux-based systems, the researchers added. This malicious software has the capability to infiltrate servers and spread rapidly throughout a network. Its mode of entry involves exploiting vulnerabilities present in web applications or misconfigured container environments.
“Organizations that use Apache ActiveMQ must take immediate action to patch CVE-2023-46604 as soon as possible and mitigate the risks associated with Kinsing,” the researchers said in the post. “Given the malware’s ability to spread across networks and exploit multiple vulnerabilities, it is important to maintain up-to-date security patches, regularly audit configurations, and monitor network traffic for unusual activity, all of which are critical components of a comprehensive cybersecurity strategy.”
The vulnerability’s root cause lies in a problem related to the validation of throwable class types during the unmarshalling of OpenWire commands, the researchers noted.
Reports emerged earlier this month regarding the active exploitation of CVE-2023-46604, with hackers utilizing exploits like Metasploit and Nuclei. Despite the high severity of the vulnerability, rated at CVSS 9.8, the level of detection remains comparatively low.
John Gallagher, vice president of Viakoo Labs, highlighted the significance of the CVE, emphasizing the widespread use of Apache ActiveMQ and its ability to communicate across multiple protocols. Additionally, he pointed out its extensive utilization in non-IT environments for interfacing with IoT/OT/ICS devices.
Gallagher further noted that many organizations face challenges in maintaining the patching of IoT devices. Given this scenario, Kinsing’s strategic choice to exploit this vulnerability aligns well with their objective of sustained processing, particularly for activities such as cryptomining.
“Many IoT devices have powerful processing capabilities and lack patching policies, making mining an ideal activity for them,” said Gallagher. “To put it another way, Kinsing likely chose to use this CVE for crypto mining because they expect it to be a long-lived vulnerability; it wouldn’t make any sense if it was a vulnerability Kinsing was expecting to get patched quickly.”