Muhstik Botnet Exploits Apache RocketMQ Flaw for Server Takeover and Expansion
Muhstik Botnet Exploits Apache RocketMQ Vulnerability to Expand Its Reach
The notorious Muhstik botnet, recognized for targeting IoT devices and Linux-based servers, has been reported to exploit a critical flaw in Apache RocketMQ, identified as CVE-2023-33246, to hijack susceptible servers and widen its network. Cloud security firm Aqua disclosed that Muhstik leverages this vulnerability for cryptocurrency mining and initiating Distributed Denial of Service (DDoS) attacks.
First observed in 2018, Muhstik has a history of exploiting security gaps, especially in web applications, to propagate. The recent discovery involves a vulnerability allowing remote attackers to execute arbitrary code by manipulating RocketMQ protocol content. The attackers exploit this flaw to download and install the Muhstik malware, ensuring persistence by inserting the malware into multiple directories and editing system files to automatically restart the malware process.
The malware, deceptively named "pty3" to mimic legitimate system files and evade detection, is capable of executing directly from memory, minimizing traces on the infected system. Muhstik also has capabilities for system metadata collection, lateral movement via secure shell (SSH), and establishing contact with a command-and-control (C2) domain using the IRC protocol. The primary intent behind these attacks is to use the compromised devices for various flooding attacks, overwhelming networks and causing service disruptions.
Despite the public disclosure of the Apache RocketMQ flaw over a year ago, 5,216 vulnerable instances remain exposed online. It’s imperative for organizations to update to the latest versions of such software to mitigate potential threats. Additionally, the malware’s deployment has been linked to cryptomining activities, indicating the attackers’ dual objectives of both disrupting services and exploiting compromised machines for cryptocurrency mining.
The report also highlights the broader issue of cybersecurity, mentioning that poorly secured MS-SQL servers are becoming targets for various malware types. AhnLab Security Intelligence Center advises administrators to employ strong, regularly updated passwords and to apply all necessary patches to safeguard against brute-force and vulnerability attacks.
The increasing sophistication and diversification of botnet attacks underscore the critical need for enhanced security protocols and practices within organizations and among individual users to protect against the evolving threat landscape.
Stay updated with the latest in cybersecurity by following industry news and adopting best practices for digital security.