Source |
RiskIQ |
Identifiant |
8468115 |
Date de publication |
2024-03-21 20:17:15 (vue: 2024-03-21 21:09:24) |
Titre |
Beware of the Messengers, Exploiting ActiveMQ Vulnerability |
Texte |
#### Description
Cybereason Security Services a publié un rapport d'analyse des menaces sur un incident impliquant un serveur Linux qui a vu des exécutions de shell malveillant à partir d'un processus Java exécutant Apache ActiveMQ.Le service ActiveMQ est un courtier de messages open source utilisé pour rejeter les communications à partir de serveurs séparés exécutant différents composants et / ou écrits dans différentes langues.L'activité est fortement évaluée pour avoir mis à profit une vulnérabilité à distance d'exécution de code (RCE) CVE-2023-46604.
Les exécutions de shell observées incluent les tentatives de téléchargement des charges utiles supplémentaires telles que les exécutables de MiraiBotnet, Hellokitty Ransomware, Sparkrat Executables et Coinminers, y compris XMRIG.Les méthodologies de déploiementemployez principalement l'automatisation;Cependant, une étape initiale dépend d'une session interactive via des coquilles inversées NetCAT.
> [Consultez la rédaction de Microsoft \\ sur CVE-2023-46604 - Apache ActiveMQ ici.] (Https://sip.security.microsoft.com/intel-profiles/cve-2023-46604)
#### URL de référence (s)
1. https://www.cybereason.com/blog/beware-of-the-messengers-expoiting-activemq-vulnerabilité
#### Date de publication
13 mars 2024
#### Auteurs)
Équipe de services de sécurité de la cyberéasie
#### Description
Cybereason Security Services has issued a Threat Analysis Report on an incident involving a Linux server that saw malicious shell executions from a Java process running Apache ActiveMQ. The ActiveMQ service is an open-source message broker used to bridge communications from separate servers running different components and/or written in different languages. The activity is strongly assessed to have leveraged a Remote Code Execution (RCE) vulnerability CVE-2023-46604.
The observed shell executions include attempts to download additional payloads such as executables of Mirai Botnet, HelloKitty Ransomware, SparkRAT executables, and coinminers including XMRig. The deployment methodologies mainly employ automation; however, one initial foothold is dependent on an interactive session via Netcat reverse shells.
> [Check out Microsoft\'s write-up on CVE-2023-46604 - Apache ActiveMQ here.](https://sip.security.microsoft.com/intel-profiles/CVE-2023-46604)
#### Reference URL(s)
1. https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability
#### Publication Date
March 13, 2024
#### Author(s)
Cybereason Security Services Team
|
Envoyé |
Oui |
Condensat |
#### 2023 2024 46604 activemq activity additional analysis and/or apache assessed attempts author automation; beware botnet bridge broker check code coinminers com/blog/beware com/intel communications components cve cybereason date dependent deployment description different download employ executables execution executions exploiting foothold from has have hellokitty here however https://sip https://www incident include includingxmrig initial interactive involving issued java languages leveraged linux mainly malicious march message messengers methodologies microsoft mirai netcat observed one open out payloads process profiles/cve publication ransomware rce reference remote report reverse running saw security separate server servers service services session shell shells source sparkrat strongly such team threat url used vulnerability write written |
Tags |
Ransomware
Vulnerability
Threat
|
Stories |
|
Notes |
★★
|
Move |
|