Apache ActiveMQ Vulnerability Exploited to Attack Linux Servers

Threat actors actively targeted the Apache ActiveMQ vulnerability to get unauthorized access to messaging systems, leading to potential data breaches and system compromise.
Cybersecurity researchers at Sekoia recently identified that the Kinsing Malware actively exploited this Apache ActiveMQ vulnerability to attack the Linux server.
This vulnerability was disclosed on October 27, 2023; it's a severe OpenWire module vulnerability with a critical CVSS3 score of 9.8.
This flaw allows unauthenticated attackers to execute code.
The flaw, rooted in deserialization validation lapses, particularly impacts ExceptionResponseMarshaller.
Attackers can exploit it by creating a weaponized throwable class.
ClassPathXmlApplicationContext can be manipulated through a weaponized XML file, granting code execution.
Patches were released on October 28, 2023, urging updates to the following versions:-.
If updating isn't feasible, then make sure to block the OpenWire access from the Internet, as this will mitigate the risk.
Researchers deployed honeypots globally using ActiveMQ v5.17.5.
Monitored host with Sekoia Linux agent and Suricata IDS. Honeypots were active since 9 Nov 2023, and the first Kinsing intrusion was tracked on 11 Nov. Daily 2-3 Kinsing intrusions were recorded since 12 Nov, and the attacks were executed from the following two IP addresses:-.
Here below, we have mentioned all the actions that are performed by the Kinsing malware:-.
Here below, we have mentioned all the characteristics of the Kinsing malware:-.
File: ELF 64-bit LSB executable, x86-64, version 1 , statically linked, stripped.
The malware code contains over 60 functions, and below we have mentioned a few of them:-.
The cryptominer that is deployed is XMRig, and the UPX-packed with config details.
Decompressed, it reveals a Monero wallet and nanopool.org URL. However, this wallet has been inactive since Nov 2019.
The CTI Reports link this wallet to Kinsing, but it's.
The numerous breaches highlight how important it is to apply security updates quickly and maintain strict control over weak points, particularly in dockerized services.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 12 Dec 2023 08:25:23 +0000

Cyber News related to Apache ActiveMQ Vulnerability Exploited to Attack Linux Servers

TellYouThePass ransomware joins Apache ActiveMQ RCE attacks - Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity ...
1 year ago Bleepingcomputer.com

CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago

The Threat That Can't Be Ignored: CVE-2023-46604 in Apache ActiveMQ - There is another vulnerability that demands immediate attention, despite not receiving the level of recognition it truly deserves in the media. Apache ActiveMQ vulnerability, known as CVE-2023-46604, is a Remote Code Execution flaw rated at a ...
8 months ago Cybersecurity-insiders.com

Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
9 months ago Cisa.gov

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
9 months ago Cisa.gov

3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online - Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution vulnerability. Apache ActiveMQ is a scalable open-source message broker that fosters communication between clients and ...
1 year ago Bleepingcomputer.com

Hackers Actively Exploiting ActiveMQ Vulnerability Install Malware - Attackers have been exploiting the Apache ActiveMQ Vulnerability to steal data and install malware constantly. Using the Apache ActiveMQ remote code execution vulnerability, the Andariel threat group was found to be installing malware last month. ...
1 year ago Gbhackers.com

Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw - Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution vulnerability in Apache ActiveMQ, for which the Apache Software Foundation issued a patch back in October. In many of the attacks, the adversary has ...
11 months ago Darkreading.com

Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits - The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. The flaw allows remote code execution and was fixed in late October. Apache's ...
1 year ago Bleepingcomputer.com

Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers - A critical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept exploits. Apache OFBiz is an open-source enterprise resource planning system many businesses use for e-commerce ...
11 months ago Bleepingcomputer.com

HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability - Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary ...
1 year ago Thehackernews.com

CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
6 months ago Securityaffairs.com

Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com

Apache ActiveMQ Vulnerability Exploited to Attack Linux Servers - Threat actors actively targeted the Apache ActiveMQ vulnerability to get unauthorized access to messaging systems, leading to potential data breaches and system compromise. Cybersecurity researchers at Sekoia recently identified that the Kinsing ...
1 year ago Cybersecuritynews.com

New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
6 months ago Securityaffairs.com

CISA orders federal agencies to patch Looney Tunables Linux bug - Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions. Dubbed 'Looney Tunables' by Qualys' Threat Research Unit and ...
1 year ago Bleepingcomputer.com

Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
6 months ago Securityaffairs.com

Veeam warns of critical bugs in Veeam ONE monitoring platform - Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings to the critical security flaws ...
1 year ago Bleepingcomputer.com

Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
6 months ago Securityaffairs.com

CVE-2020-8023 - A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of ...
4 years ago

Monti gang claims the hack of the Wayne Memorial Hospital in Pennsylvania - CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits JetBrains ...
5 months ago Securityaffairs.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

CVE-2020-11111 - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). ...
3 years ago

Juniper Networks fixed a critical authentication bypass flaw in some of its routers - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 ...
5 months ago Securityaffairs.com

BreachForums resurrected after FBI seizure - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group ...
6 months ago Securityaffairs.com

Latest Cyber News

CVE-2024-56361 - 8 hours ago
CVE-2024-55950 - 8 hours ago
CVE-2024-53850 - 8 hours ago
CVE-2024-45805 - 8 hours ago
CVE-2024-45600 - 9 hours ago
CVE-2024-12968 - 9 hours ago
CVE-2024-12967 - 9 hours ago
CVE-2024-12966 - 10 hours ago
CVE-2024-56510 - 10 hours ago
CVE-2024-12965 - 10 hours ago
CVE-2024-12964 - 10 hours ago
CVE-2024-12963 - 10 hours ago
CVE-2024-54907 - 12 hours ago
CVE-2024-12962 - 12 hours ago
CVE-2024-12961 - 12 hours ago
CVE-2024-12960 - 12 hours ago
CVE-2024-51540 - 14 hours ago
CVE-2024-12959 - 14 hours ago
CVE-2024-12958 - 14 hours ago
CVE-2024-12908 - 15 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

CVE-2024-12927 - 1 day ago
CVE-2024-12928 - 1 day ago
CVE-2024-12929 - 1 day ago
CVE-2024-12930 - 1 day ago
CVE-2024-12931 - 1 day ago
CVE-2024-12932 - 1 day ago
CVE-2024-12652 - 1 day ago
CVE-2024-12933 - 1 day ago
CVE-2024-12934 - 1 day ago
CVE-2024-12935 - 1 day ago
CVE-2024-12936 - 1 day ago
CVE-2024-10903 - 1 day ago
CVE-2024-11223 - 1 day ago
CVE-2024-12937 - 1 day ago
CVE-2024-12938 - 1 day ago
CVE-2024-12939 - 1 day ago
CVE-2024-12940 - 1 day ago
CVE-2024-12941 - 23 hours ago
CVE-2024-12942 - 23 hours ago
CVE-2023-7300 - 22 hours ago