The Muhstik botnet, known for targeting IoT devices and Linux servers, has been found exploiting a severe vulnerability in Apache RocketMQ to infect more systems. This flaw, CVE-2023-33246, allows remote attackers to execute code by manipulating the RocketMQ protocol, leading to the download and installation of the Muhstik malware. After initial access, the malware achieves persistence by copying itself to multiple directories and modifying system files to ensure it restarts on boot.
Once installed, Muhstik gathers system data, moves laterally to other devices via SSH, and connects to a command-and-control domain for further instructions. Its main objectives are to conduct DDoS attacks and engage in cryptomining activities, leveraging the compromised devices’ resources. These tactics not only disrupt target networks but also generate cryptocurrency for the attackers.
Despite the public disclosure of the vulnerability over a year ago, more than 5,000 Apache RocketMQ instances remain exposed online. This highlights the critical need for organizations to update their systems to prevent potential breaches and mitigate security risks.
The AhnLab Security Intelligence Center has also noted that poorly secured MS-SQL servers are being targeted by various malware, including ransomware and remote access trojans. Administrators are advised to use strong, regularly updated passwords and apply the latest patches to safeguard against such threats.
Reference:
