Update your Apache RocketMQ instances to avoid compromise.
The well-known Muhstik botnet began actively exploiting a vulnerability in Apache RocketMQ patched last year to take over vulnerable servers and increase the scale of its DDoS attacks.
According to Aqua Security, a company specializing in cloud security, Muhstik has become one of the main threats to Linux-based IoT devices and servers, infecting them for subsequent mining of cryptocurrencies and conducting distributed denial-of-service attacks (DDoS).
The first documented attacks using this malware were recorded in 2018. Muhstik actively uses known vulnerabilities in web applications for its distribution. The most significant of these was the critical Threat level vulnerability CVE-2023-33246 (CVSS 9.8), which allows remote attackers to execute arbitrary code by tampering with the RocketMQ protocol content or using the configuration update function.
Attackers use this vulnerability to gain initial access to the system, and then run the script from a remote IP address. This script downloads the main malicious Muhstik file ("pty3") from another server. The malicious code is then copied to several directories and modifies the "/etc/inittab " file to ensure automatic startup when the server is rebooted.
To disguise the malicious file, it gets the name "pty3", which helps it hide under the guise of a legitimate pseudo-terminal. The file is also copied to the directories "/dev/shm", "/var/tmp", "/run/lock" and "/run", which allows it to be executed directly from memory and avoid detection.
Muhstik is able to collect system metadata, navigate to other devices via SSH, and communicate with the C2 domain via the IRC protocol for further instructions. The main purpose of the malware is to use infected devices to conduct various DDoS attacks, overloading the victims ' networks.
Despite the public disclosure of the CVE-2023-33246 vulnerability more than a year ago, there are still more than 5,200 vulnerable Apache RocketMQ instances on the Internet. Organizations need to update the software to the latest version to minimize risks.
According to the AhnLab Security Intelligence Center (ASEC), vulnerable MS-SQL servers are also actively attacked by various types of malware, including ransomware and remote access Trojans. Experts recommend that administrators use complex passwords and change them regularly, as well as install security updates in a timely manner.
The well-known Muhstik botnet began actively exploiting a vulnerability in Apache RocketMQ patched last year to take over vulnerable servers and increase the scale of its DDoS attacks.
According to Aqua Security, a company specializing in cloud security, Muhstik has become one of the main threats to Linux-based IoT devices and servers, infecting them for subsequent mining of cryptocurrencies and conducting distributed denial-of-service attacks (DDoS).
The first documented attacks using this malware were recorded in 2018. Muhstik actively uses known vulnerabilities in web applications for its distribution. The most significant of these was the critical Threat level vulnerability CVE-2023-33246 (CVSS 9.8), which allows remote attackers to execute arbitrary code by tampering with the RocketMQ protocol content or using the configuration update function.
Attackers use this vulnerability to gain initial access to the system, and then run the script from a remote IP address. This script downloads the main malicious Muhstik file ("pty3") from another server. The malicious code is then copied to several directories and modifies the "/etc/inittab " file to ensure automatic startup when the server is rebooted.
To disguise the malicious file, it gets the name "pty3", which helps it hide under the guise of a legitimate pseudo-terminal. The file is also copied to the directories "/dev/shm", "/var/tmp", "/run/lock" and "/run", which allows it to be executed directly from memory and avoid detection.
Muhstik is able to collect system metadata, navigate to other devices via SSH, and communicate with the C2 domain via the IRC protocol for further instructions. The main purpose of the malware is to use infected devices to conduct various DDoS attacks, overloading the victims ' networks.
Despite the public disclosure of the CVE-2023-33246 vulnerability more than a year ago, there are still more than 5,200 vulnerable Apache RocketMQ instances on the Internet. Organizations need to update the software to the latest version to minimize risks.
According to the AhnLab Security Intelligence Center (ASEC), vulnerable MS-SQL servers are also actively attacked by various types of malware, including ransomware and remote access Trojans. Experts recommend that administrators use complex passwords and change them regularly, as well as install security updates in a timely manner.
