Executive Summary
Kinsing threat actors were recently observed leveraging CVE-2023-46604, a vulnerability affecting Apache ActiveMQ, to infect Linux systems with cryptominers and rootkits.
Key Takeaways
- Kinsing threat actors were recently observed leveraging CVE-2023-46604 to infect Linux systems with cryptominers and rootkits.
- Kinsing is a Go-based ELF format Linux agent that has backdoor and rootkit components and is usually used to install a cryptominer.
- CVE-2023-46604 is a vulnerability affecting Apache ActiveMQ.
What is Kinsing?
Kinsing threat actors were recently observed leveraging CVE-2023-46604, a vulnerability affecting Apache ActiveMQ, to infect Linux systems with cryptominers and rootkits. Trend Micro reported on this activity.
Kinsing is a Go-based ELF format Linux agent that has backdoor and rootkit components and is usually used to install a cryptominer. Although Kinsing affects Linux-based systems, it can infiltrate servers and quickly spread across a network.
Once Kinsing infects a system, it deploys a cryptomining script that uses the victim machine to mine cryptocurrencies, such as Bitcoin. It is interesting to note that Kinsing malware actively looks for competing cryptocurrency miners and kills their processes and network connections.
The threat actors behind Kinsing have evolved their TTPs over time, often using known vulnerabilities in web applications or misconfigured container environments to obtain access. Environments targeted in the past include Docker, Redis, SaltStack, and Kubernetes. Earlier this month, Kinsing was observed using the Looney Tunables vulnerability CVE-2023-4911.
What is CVE-2023-46604?
ActiveMQ, which is written in Java, is an open-source protocol used to send messages between different applications using message-oriented middleware (MOM). It also includes STOMP, JMS, and OpenWire. OpenWire is a binary protocol designed to work with MOM.
CVE-2023-46604 is a remote code execution vulnerability in the Java OpenWire protocol marshaller. It affects Apache ActiveMQ. The vulnerability allows a threat actor with network access to a Java-based OpenWire broker or client to run arbitrary shell commands. It is considered a critical vulnerability, with a CVSS score of 9.8.
Apache ActiveMQ versions affected by CVE-2023-46604 include the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Besides Kinsing, Hello Kitty ransomware has also been observed leveraging CVE-2023-46604. There are also Metasploit and Nuclei proof of concept exploits leveraging CVE-2023-46604.
IOCs
PolySwarm has multiple samples associated with this activity.
787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c
C6fbd6896d162a12d9c900056781eb82f44649945808b7b009646b5397bcf6bf
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
You can use the following CLI command to search for all Kinsing samples in our portal:
$ polyswarm link list -f Kinsing
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.