The Muhstik botnet, known for its distributed denial-of-service (DDoS) attacks, is exploiting a recently patched security vulnerability in Apache RocketMQ to commandeer vulnerable servers and expand its reach.
Aqua, a cloud security firm, reported that Muhstik is notorious for targeting IoT devices and Linux-based servers, infecting them for cryptocurrency mining, and launching DDoS attacks. This botnet, first documented in 2018, frequently leverages known security flaws in web applications for propagation.
The latest vulnerability exploited by Muhstik is CVE-2023-33246 (CVSS score: 9.8), a critical flaw in Apache RocketMQ. This flaw allows remote, unauthenticated attackers to perform remote code execution by manipulating the RocketMQ protocol or using the update configuration function.
Aqua Nautilus found a new Muhstik malware campaign targeting Apache RocketMQ via a known vulnerability. Hackers exploit this to install malware on compromised instances.#securitycode #hackinggroup
— RSK Cyber Security (@RSKCyberSec) June 7, 2024
Upon exploiting this vulnerability, the attackers execute a shell script from a remote IP address, which then downloads the Muhstik binary (“pty3”) from another server. The malware gains persistence by copying itself to multiple directories and modifying the /etc/inittab file, which controls the processes started during the booting of a Linux server.
Naming the binary “pty3” is likely an attempt to disguise it as a pseudoterminal (“pty“) and evade detection. Additionally, the malware is copied to directories like /dev/shm, /var/tmp, /run/lock, and /run to execute directly from memory, minimizing traces on the system.
Cybersecurity researchers have uncovered a concerning campaign where the #Muhstik malware is actively targeting Apache RocketMQ installations. This new wave of attacks leverages a known vulnerability (CVE-2023-33246) in #RocketMQ versions 5.1.0 and belowhttps://t.co/3EXQcNaDiN
— Gray Hats (@the_yellow_fall) June 7, 2024
Muhstik’s capabilities include gathering system metadata, moving laterally to other devices via secure shell (SSH), and establishing contact with a command-and-control (C2) domain to receive further instructions using the Internet Relay Chat (IRC) protocol. The primary goal of Muhstik is to use compromised devices for various flooding attacks, overwhelming network resources, and causing denial-of-service conditions.
Despite the public disclosure of the RocketMQ flaw over a year ago, 5,216 vulnerable instances remain exposed to the internet. Organizations must update to the latest version to mitigate these threats.
In addition to DDoS attacks, previous campaigns have detected cryptomining activity following the execution of Muhstik malware. These objectives are aligned, as infecting more machines enables attackers to mine more cryptocurrency using the compromised machines’ electrical power.
Patched, but too late when criminals established persistence !
“Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks”
Unlike me, on LinkedIn, law abiding, and kicked out. Just saying.#cybersecurity https://t.co/T187gUCjXp— tresronours cybersec (@tresronours) June 6, 2024
The disclosure coincides with the AhnLab Security Intelligence Center (ASEC), revealing that poorly secured MS-SQL servers are also being targeted by various types of malware, including ransomware, remote access trojans, and proxyware.
ASEC advises administrators to use strong, frequently changed passwords and apply the latest patches to safeguard against brute-force and dictionary attacks.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
