Get in Touch
Active exploitation of Apache RocketMQ security flaw
Target Industry
Indiscriminate, opportunistic targeting.
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) added a critical–severity level vulnerability, tracked as CVE-2023-33246 (CVSSv3 score: 9.8), relating to the Apache RocketMQ messaging and streaming platform. Intelligence gathering indicates that there is a possibility that threat actors are actively exploiting this security flaw to install malware payloads on vulnerable systems.
A security researcher discovered that it is possible to exploit the vulnerability due to the fact that several Apache RocketMQ components, including the NameServer and Controller, are exposed to the internet. They were also able to determine that approximately 4,500 systems were exposed via TCP port 9876 which is used by the Apache RocketMQ Nameserver.
Impact
Successful exploitation of CVE-2023-33246 could allow a threat actor to use the update configuration function to execute commands as the system users that RocketMQ is running as. This could lead to threat actors gaining remote code execution (RCE) capabilities which would almost certainly result in the compromise and integrity of data.
Incident Detection
Apache has released security updates with regards to the product versions affected by the security flaw reported on. As such, previous versions are vulnerable to potential exploitation.
Affected Products
Apache RocketMQ versions 5.1.0 and prior.
Containment, Mitigations & Remediations
To mitigate against the threat posed by this vulnerability, it is strongly recommended that users apply the following updates as a matter of urgency:
- Version 5.1.1 or above for using RocketMQ 5.x
- Version 4.9.6 or above for using RocketMQ 4.x
If it is not possible to apply the updates mentioned above, CISA recommends that impacted products should be discontinued.
Indicators of Compromise
Associated Vulnerability Exploitation IP Addresses:
- 103[.]85[.]25[.]121
- 94[.]156[.]6[.]110
- 45[.]15[.]158[.]124
- 134[.]209[.]58[.]230
Associated Vulnerability Exploitation Domains:
- acf-producao[.]s3[.]amazonaws[.]com
- ashleyhub[.]s3[.]amazonaws[.]com
- aaadutyv1[.]s3[.]amazonaws[.]com
- brazilfoundation-assets[.]s3[.]amazonaws[.]com
Associated Vulnerability Exploitation File Hashes (SHA-256):
- 1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac
- d7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f55dfcded36ce8423a0
- 4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b660530442ea1e49cbb
- f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
- 49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea
Threat Landscape
Apache RocketMQ occupies a significant proportion of the enterprise application integration market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Apache products have become a prime target for threat actors. Due to the fact that enterprise applications are integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.
Threat Group
CVE-2023-33246 has been exploited dating back to June by at least five separate threat actors. Of note, in June 2023, DreamBus botnet operators leveraged the security flaw to deploy a Monero cryptocurrency miner.
DreamBus is a modular malware strain primarily focused on Monero mining. Upon exploitation of CVE-2023-33246, the malware establishes a system service and cron job to maintain persistence within target systems.
Mitre Methodologies
Common Weakness Enumeration (CWE):
CWE-94 – Improper Control of Generation of Code (‘Code Injection’)
Further Information
TIDC-0004
