Attackers are exploiting a recently fixed vulnerability (CVE-2023-46604) in Apache ActiveMQ to install Kinsing malware and cryptocurrency miners on targeted Linux systems.

Apache ActiveMQ Kinsing malware

CVE-2023-46604 exploitation

Apache ActiveMQ is a popular Java-based open source message broker that allows communication between applications and services by translating messages exchanged via different protocols (OpenWire, STOMP, MQTT, AMQP, etc.).

CVE-2023-46604 is a vulnerability in the Java OpenWire protocol marshaller and may allow attackers to execute arbitrary code with the same privileges of the ActiveMQ server.

Although a patch has been issued in late October, there have been reports of it being exploited by ransomware attackers wielding the HelloKitty ransomware family, as well as to deliver the SparkRAT malware.

Kinsing malware targeting Apache ActiveMQ

“The Kinsing malware is a critical threat that primarily targets Linux-based systems and can infiltrate servers and spread rapidly across a network. It gains entry by exploiting vulnerabilities in web applications or misconfigured container environments,” Trend Micro researchers explained.

The attackers exploit CVE-2023-46604 to download and execute Kinsing malware and cryptocurrency mining software.

Kinsing also scans the system for competing cryptocurrency miners and removes them, achieves persistence by adding a cronjob that will download and execute a malicious bootstrap script every minute, and doubles down on its persistence and compromise by loading a rootkit.

“Once Kinsing infects a system, it deploys a cryptocurrency-mining script that exploits the host’s resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance,” the researchers said.

“Organizations that use Apache ActiveMQ must take immediate action to patch CVE-2023-46604 as soon as possible and mitigate the risks associated with Kinsing. Given the malware’s ability to spread across networks and exploit multiple vulnerabilities [such as CVE-2023-4911, aka Looney Tunables], it is important to maintain up-to-date security patches, regularly audit configurations, and monitor network traffic for unusual activity, all of which are critical components of a comprehensive cybersecurity strategy.”