Cybersecurity researchers at Aqua Nautilus recently made a breakthrough discovery regarding the Apache RocketMQ platform. They found that the platform, which is widely used for messaging systems handling high volumes of data and critical operations, has become a target for attackers looking to exploit vulnerabilities for malicious purposes.
One of the vulnerabilities discovered in RocketMQ was a remote code execution vulnerability, known as CVE-2023-33246, present in versions 5.1.0 and below. This vulnerability allowed attackers to execute commands by taking advantage of the insecure update configuration function within the platform. This exploit posed a serious threat as it could potentially disrupt communications, access sensitive information, and even gain control over the data flow.
The researchers uncovered that the Muhstik malware, part of the Kaiten family known for targeting Linux devices for cryptomining and DDoS attacks, had been actively attacking the Apache RocketMQ platform. The attackers used the RocketMQ flaw to upload and execute a malicious payload that fetched the Muhstik malware. This attack method bore similarities to previous Mirai-based attacks following a leak of the malware’s source code.
In a controlled experiment, the researchers set up a honeypot with a vulnerable version of RocketMQ. Attackers quickly detected and exploited the flaw to update the broker configuration, enabling remote code execution. They then delivered a malicious shell script to fetch the Muhstik malware binaries that matched the system architecture, allowing the malware to infiltrate the system.
Once the Muhstik malware was executed, it copied itself across directories and ensured persistence by editing critical system files to restart its process on boot. The malware employed fileless techniques, loading itself directly into memory from temporary locations to avoid detection. It also engaged in various malicious activities like scanning for SSH services, communicating with a C2 server over IRC, and performing DDoS attacks and cryptomining on infected computers.
The research revealed that a significant number of RocketMQ instances globally were vulnerable to the CVE-2023-33246 vulnerability, with 5200 instances identified as being at risk based on Shodan scans. This highlighted the importance of maintaining up-to-date security patches and ensuring that systems are adequately protected against potential threats.
The incident served as a reminder of the risks associated with unpatched systems and emphasized the need for companies with cloud-native applications to prioritize cybersecurity. With new vulnerabilities and misconfigurations constantly emerging, it is crucial for organizations to remain vigilant and take proactive measures to protect their systems from evolving threats like Muhstik.
In conclusion, the Apache RocketMQ platform, while a valuable tool for developers, must be used with caution to prevent exploitation by malicious actors. By implementing robust security measures, conducting regular scans, and educating employees on best practices, companies can strengthen their defenses against threats like the Muhstik malware.