Blog entry by Les Bell

Les Bell
Kinsing Exploits Your MOM (Message-Oriented Middleware)
by Les Bell - Tuesday, 21 November 2023, 9:19 AM
Anyone in the world

Cloud applications employ a variety of software architecture patterns, but high among them is the microservices architecture, which links a number of intependently-running processes. The links can be by means of RESTful API's or via message-oriented middleware such as Amazon's Simple Queue Service, Google Cloud Pub/Sub and others. Among the open source offerings like RabbitMQ and OpenMQ is the Apache Project's ActiveMQ, a Java-based multi-protocol message broker which can connect a variety of clients using protocols such as AMQP and MQTT (which is widely used on the Internet of Things). ActiveMQ is also compatible with the Java Messaging Service API, making migration of earlier application code easy.

Photo by Hal Gatewood on Unsplash

Now Trend Micro reports on an active campaign which exploits CVE-2023-46604, a remote code execution vunerability in the Java OpenWire protocol marshaller used by ActiveMQ. The vulnerability allows an attacker to manipulate serialized class types in the protocol to instantiate any class found on the classpath. This occurs because the OpenWire code fails to validate a throwable class type (used in exception handling).

The vulnerability is being used by a threat actor to download and install malware - primarily the Kinsing cryptominer. This particular campaign uses CVE-2023-46604 to instantiate a ProcessBuilder object, calling its start() method to execute a bash shell which uses either curl or wget to download a malicious installer script from a C2 server and execute it. Once the Kinsing malware is installed and running, it fetches further binaries and payloads from the C2 server. Interestingly, Kinsing then proceeds to search for and kill any competing cryptominers before adding a cron job which will download and run its bootstrap script every minute, ensuring it is always updated. It completes its infection by installing a rootkit which loads from /etc/ld.so.preload.

It then sets to work, using the infected machine's CPU resources to mine cryptocurrencies like Bitcoin, dragging the system performance down in the process.

The Kinsing operators are not the only ones exploiting CVE-2023-46604, which makes it all the more urgent for organizations using ActiveMQ to update their systems to versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which have been patched to call an added validateIsThrowable() method in the BaseDataStreamMarshall class.

All this shows the danger of not thoroughly sanitizing input, especially when the client is untrusted (as it usually is). We generally remember to sanitize form input from browsers and in desktop programs, but it is easy to overlook data deserialization, both when reading from databases and in message-oriented middleware.

The Trend Micro write-up includes a more detailed analysis and explanation as well as a YARA rule which can be used for scanning.

Girnus, Peter, CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits, research report, 20 November 2023. Available online at https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html.

Upcoming Courses

  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
  • SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
  • SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
  • SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink