An active exploitation of a critical Apache ActiveMQ vulnerability (CVSS 9.8) was observed looking to download and infect Linux systems with the Kinsing malware and cryptocurrency miner.
In a Nov. 20 blog post, Trend Micro researchers said when exploited, the CVE-2023-46604 flaw in the open source ActiveMQ protocol leads to remote code execution (RCE), which Kinsing uses to download and install malware.
The researchers said Kinsing malware is a critical threat that primarily targets Linux-based systems, and can infiltrate servers and spread rapidly across a network. It gains entry by exploiting vulnerabilities in web applications or misconfigured container environments.
This was not the first time Kingsing has been in the news. Earlier this month, SC Media reported that the threat actors behind Kinsing exploited high-profile vulnerabilities such as CVE-2023-4911, known as Looney Tunables. The Trend Micro researchers said once Kinsing infects a system, it deploys a cryptocurrency-mining script that exploits the host's resources to mine Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance.
Ken Dunham, director of cyber threat at Qualys, pointed out that Kinsing has successfully preyed upon poorly authenticated and configured cloud Docker containers dating back to 2020, then performing lateral movement attempts leveraging brute force attacks. Dunham said widespread abuse of CVE-2023-46604 is currently underway because of the availability of exploit code in the wild and ongoing attacks by Kinsing and others.
“Kinsing is adept at attacks that land and expand, making this a dangerous enabler for any misconfigured cloud environment, ripe for exploitation,” said Dunham. “Organizations should prioritize patching and remediation, especially for all external-facing exposure and those with higher-value assets. Additionally, precautions such as extensive monitoring and logging reviews with work-arounds where they apply are recommended, to counter known TTPs for brute-force and known attacks, until the risk of exploitation gets fully remediated.”
John Gallagher, vice president of Viakoo Labs, said the danger with this CVE is that Apache ActiveMQ is widely used and it can communicate across multiple protocols. It’s also widely used in non-IT environments to interface to IoT/OT/ICS devices.
Gallagher said many organizations struggle to keep IoT devices patched, so Kinsing chose well in using this exploit for longer-term processing such as cryptomining.
“Many IoT devices have powerful processing capabilities and lack patching policies, making mining an ideal activity for them,” said Gallagher. “To put it another way, Kinsing likely chose to use this CVE for cryptomining because they expect it to be a long-lived vulnerability; it wouldn’t any make sense if it was a vulnerability Kinsing was expecting to get patched quickly.”