Threat actors behind the Kinsing malware are actively exploiting a remote code execution in the Apache ActiveMQ open-source message broker to infect Linux systems with cryptocurrency miners.
Tracked as CVE-2023-46604, the flaw affects the OpenWire protocol and allows a remote hacker to run arbitrary shell commands. The vulnerability was fixed in October 2023.
Kinsing primarily targets Linux-based systems and can infiltrate servers and spread rapidly across a network. The malware gains access by exploiting vulnerabilities in web applications or misconfigured container environments.
In addition to the Apache ActiveMQ bug, the Kinsing threat actors have been observed exploiting CVE-2023-4911 (aka Looney Tunables), a privilege escalation flaw in the GNU Glibc library, according to Trend Micro researchers.
Once Kinsing infects a system, it deploys a cryptocurrency-mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, damaging the infrastructure in the process and causing a negative impact on system performance.
Once successfully infiltrating the system, the Kinsing malware and the crypto miner download a malicious installer, execute a bash script, and then download additional payloads from the command-and-control server for various architectures.
One of the noteworthy aspects of this campaign is that Kinsing actively looks for rival crypto miners, crontabs, and active network connections and eliminates them.
Since November, several threat actors have been observed taking advantage of the Apache ActiveMQ RCE vulnerability, including the HelloKitty ransomware operation. That said, organizations that use Apache ActiveMQ are strongly advised to patch CVE-2023-46604 as soon as possible to mitigate the risks of cyberattacks.