Warning: RocketMQ Vulnerability Actively Exploited by Threat Actors – Source: heimdalsecurity.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a new critical-severity vulnerability to its KEV catalog. The issue is tracked as CVE-2023-33246 and it affects Apache’s RocketMQ distributed messaging and streaming platform.

Exploiting the vulnerability is possible without authentication and has been leveraged actively by threat actors since at least June. Multiple threat actors may be actively exploiting this vulnerability. Even operators of the DreamBus botnet are known to exploit it after they’ve been caught deploying a Monero cryptocurrency miner.

What We Known About the Vulnerability?

CISA issued a warning to federal agencies, but businesses should follow it too, to patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27^th. The versions affected are version 5.1.0 and below. If updating the app is not possible, CISA recommends discontinuing using the product.

CISA notes that attackers can exploit the vulnerability “by using the update configuration function to execute commands as the system users that RocketMQ is running.” The outcome is the same if an attacker forges the RocketMQ protocol content, according to the U.S. National Institute of Standards and Technology (NIST).

After Jacob Baines, a cybersecurity researcher, provided technical details outlining the security issue, CISA issued a warning on CVE-2023-33246.

Threat actors can take advantage of the problem because certain RocketMQ components, such as NameServer, Broker, and Controller, are available on the open internet. While trying to find how many potential targets are exposed online, Baines also looked for hosts with the TCP port 9876 used by the RocketMQ Nameserver and found about 4,500 systems.

Multiple Threat Actors Leverage the Vulnerability

The researcher found “a variety of malicious payloads” while scanning possibly vulnerable devices, indicating that several threat actors are making use of the flaw. Some of the executables dropped after abusing RocketMQ exhibit strange behavior, but are not currently flagged as dangerous.

The samples’ questionable actions include erasing themselves, executing commands to change permissions, enumerating processes, dumping credentials, reading the “known_hosts” file and SSH private keys, encoding and encrypting data, and reading the bash history, among other questionable actions.

Apache released an update that addresses the issue and highly recommends its users switch to the latest version of the application to be protected.

If you want to keep up to date with everything we post, don’t forget to follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.