Cybersecurity researchers have observed an increase in threat actor activity exploiting a patched flaw in Apache ActiveMQ to deploy the Godzilla web shell, capable of evading security measures and enabling remote code execution. The web shell is concealed within an unknown binary format, allowing it to bypass security scanners, and is being used to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. Users of Apache ActiveMQ are urged to update to the latest version to mitigate potential threats.
The Kinsing threat group is exploiting a critical vulnerability in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. The malware deploys a cryptocurrency mining script that exploits the host's resources, causing damage to infrastructure and system performance. Kinsing is known for targeting misconfigured containerized environments and quickly adapting tactics to exploit newly disclosed flaws. Organizations are advised to update to a patched version of Apache ActiveMQ to mitigate potential threats.
The Kinsing malware is exploiting a critical vulnerability (CVE-2023-46604) in Apache ActiveMQ to compromise Linux systems. Despite a patch being released, thousands of servers remain exposed, allowing ransomware gangs like HelloKitty and TellYouThePass to take advantage. Kinsing targets Linux systems and deploys cryptocurrency miners on vulnerable servers. The malware uses the ProcessBuilder method to execute malicious bash scripts and download additional payloads, evading detection. It establishes persistence through a cronjob and adds a rootkit to ensure its code executes with every process on the system. Organizations are urged to upgrade Apache ActiveMQ to mitigate the threat.
