Apache RocketMQ漏洞导致Muhstik僵尸网络扩大攻击

The distributed denial-of-service (DDoS) botnet known as Muhstik has been observed leveraging a now-patched security flaw impacting Apache RocketMQ to co-opt susceptible servers and expand its scale.

分布式拒绝服务（DDoS）僵尸网络Muhstik已被观察到利用现在已经修补的影响Apache RocketMQ的安全漏洞来利用易受攻击的服务器并扩大其规模。

"Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks," Cloud security firm Aqua said in a report published this week.

“Muhstik是一个著名的威胁，针对物联网设备和基于Linux的服务器，以其感染设备并利用它们进行加密货币挖掘和发动分布式拒绝服务（DDoS）攻击的能力而臭名昭著，”云安全公司Aqua在本周发布的一份报告中说。

First documented in 2018, attack campaigns involving the malware have a history of exploiting known security flaws, specifically those relating to web applications, for propagation.

首次记录于2018年，涉及此恶意软件的攻击活动具有利用已知安全漏洞的历史，特别是与Web应用程序相关的漏洞，用于传播。

The latest addition to the list of exploited vulnerabilities is CVE-2023-33246 (CVSS score: 9.8), a critical security flaw affecting Apache RocketMQ that allows a remote and unauthenticated attacker to perform remote code execution by forging the RocketMQ protocol content or using the update configuration function.

所利用漏洞列表的最新补充是CVE-2023-33246（CVSS评分：9.8），一个影响Apache RocketMQ的关键安全漏洞，允许远程和未经身份验证的攻击者通过伪造RocketMQ协议内容或使用更新配置功能执行远程代码执行。

Once the shortcoming is successfully abused to obtain initial access, the threat actor proceeds to execute a shell script hosted on a remote IP address, which is then responsible for retrieving the Muhstik binary ("pty3") from another server.

一旦成功利用这个缺陷获得初始访问权限，威胁行为者将继续执行托管在远程IP地址上的shell脚本，然后负责从另一个服务器检索Muhstik二进制文件（"pty3"）。

"After gaining the ability to upload the malicious payload by exploiting the RocketMQ vulnerability, the attacker is able to execute their malicious code, which downloads the Muhstik malware," security researcher Nitzan Yaakov said.

“通过利用RocketMQ漏洞获得上传恶意有效载荷的能力后，攻击者能够执行他们的恶意代码，下载Muhstik恶意软件，”安全研究人员Nitzan Yaakov说。

Persistence on the host is achieved by means of copying the malware binary to multiple directories and editing the /etc/inittab file -- which controls what processes to start during the booting of a Linux server -- to automatically restart the process.

通过将恶意软件二进制文件复制到多个目录并编辑控制Linux服务器引导期间启动的进程的/etc/inittab文件，实现对主机的持久性，以自动重新启动进程。

What's more, the naming of the binary as "pty3" is likely an attempt to masquerade as a pseudoterminal ("pty") and evade detection. Another evasion technique is that the malware is copied to directories such as /dev/shm, /var/tmp, /run/lock, and /run during the persistence phase, which allows it to be executed directly from memory and avoid leaving traces on the system.

此外，将二进制文件命名为“pty3”很可能是为了伪装成伪终端（"pty"）并规避检测的尝试。另一个规避技术是在持久性阶段将恶意软件复制到目录，如/dev/shm、/var/tmp、/run/lock和/run，这使其可以直接从内存执行并避免在系统上留下痕迹。

Muhstik comes equipped with features to gather system metadata, laterally move to other devices over a secure shell (SSH), and ultimately establish contact with a command-and-control (C2) domain to receive further instructions using the Internet Relay Chat (IRC) protocol.

Muhstik配备有功能，以收集系统元数据，通过安全外壳（SSH）横向移动到其他设备，并最终与一个命令控制（C2）域建立联系，使用互联网中继聊天（IRC）协议接收进一步的指令。

The end goal of the malware is to weaponize the compromised devices to perform different types of flooding attacks against targets of interest, effectively overwhelming their network resources and triggering a denial-of-service condition.

该恶意软件的最终目标是武装被感染设备，执行针对感兴趣目标的不同类型的洪水攻击，有效地淹没他们的网络资源并触发拒绝服务条件。

With 5,216 vulnerable instances of Apache RocketMQ still exposed to the internet after more than a year of public disclosure of the flaw, it's essential that organizations take steps to update to the latest version in order to mitigate potential threats.

在公开揭示这个漏洞一年多后，仍有5216个易受攻击的Apache RocketMQ实例暴露在互联网上，组织必须采取措施更新到最新版本以减轻潜在的威胁。

"Moreover, in previous campaigns, cryptomining activity was detected after the execution of the Muhstik malware," Yaakov said. "These objectives go hand in hand, as the attackers strive to spread and infect more machines, which helps them in their mission to mine more cryptocurrency using the electrical power of the compromised machines."

“此外，在以前的活动中，执行Muhstik恶意软件后检测到加密货币挖掘活动，”Yaakov说。“这些目标是相辅相成的，因为攻击者力求传播和感染更多的机器，从而帮助他们实现使用被感染机器的电力挖掘更多加密货币的使命。”

The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly secured MS-SQL servers are being targeted by threat actors to various types of malware, ranging from ransomware and remote access trojans to Proxyware.

这一披露发生在AhnLab安全情报中心（ASEC）披露，安全性差的MS-SQL服务器正成为威胁行为者针对各种类型的恶意软件，从勒索软件和远程访问木马到代理软件的目标。

"Administrators must use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute-force attacks and dictionary attacks," ASEC said. "They must also apply the latest patches to prevent vulnerability attacks."

“管理员必须为他们的帐户使用难以猜测的密码，并定期更改密码，以保护数据库服务器免受暴力攻击和字典攻击，”ASEC说。“他们还必须应用最新的补丁以防止漏洞攻击。”

参考资料

[1]https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Apache RocketMQ漏洞导致Muhstik僵尸网络扩大攻击