Trend Micro's cybersecurity researchers have recently discovered an active exploitation of a critical flaw in Apache ActiveMQ, identified as CVE-2023-46604. This vulnerability is being used to infect Linux systems with the infamous Kinsing malware, also known as h2miner, leading to a malicious cryptocurrency mining operation. Apache ActiveMQ, a Java-based message-oriented middleware developed by Apache, serves as a critical communication hub for various applications. Its main role is to enable message exchange between different applications, with support for features like STOMP, Jakarta Messaging (JMS), and OpenWire. However, due to a validation failure in throwable class type in its OpenWire commands, it has become a potential entry point for remote code execution (RCE), resulting in a severe security issue.
The Kinsing malware, also known as h2miner, mainly targets Linux-based systems. It infiltrates servers by exploiting vulnerabilities in web applications or poorly configured container environments, and rapidly spreading across networks. The recent exploitation of high-profile vulnerabilities, such as CVE-2023-4911 (Looney Tunables), has further expanded its reach. Once inside the system, Kinsing deploys a cryptocurrency-mining script, exploiting the host’s resources to mine digital currencies like Bitcoin, which can have a detrimental impact on infrastructure and system performance.
Upon successful exploitation of CVE-2023-46604, Kinsing uses public exploits, specifically the ProcessBuilder method, to execute commands on the compromised systems. The malware then downloads and runs cryptocurrency miners and additional malicious payloads. What makes Kinsing especially dangerous is its strategy of eliminating competition. It actively seeks out and removes competing cryptocurrency miners and malware, thus monopolizing the infected host’s resources.
The malware’s persistence mechanism is cleverly designed. It sets up a cronjob to regularly download and run its malicious bootstrap script, ensuring its continuous presence and updating its binary on the infected hosts. Moreover, it implants its rootkit in /etc/ld.so.preload, leading to a full-scale compromise of the system.
The exploitation of CVE-2023-46604 by Kinsing and similar threat actors poses a significant security risk for organizations worldwide. Those using Apache ActiveMQ must urgently patch this vulnerability. Defending against such advanced threats requires a comprehensive cybersecurity strategy, including regular updates of security patches, thorough configuration audits, and vigilant monitoring of network traffic.