Description
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. The report also analyzes the prevalence of vulnerable RocketMQ instances worldwide and provides recommendations for securing cloud-native environments.
Date
| Published | Created | Modified |
|---|---|---|
| June 6, 2024, 6:44 p.m. | June 6, 2024, 6:44 p.m. | June 6, 2024, 7:09 p.m. |
Indicators
a7bf3c031ab66265ce724fc26c8f7565442a098b06b01ea8871f13179d168713
1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957
176c57e3fa7da2fb2afcd18242b79e5881c2244f5ab836897d4846885f1bd993
9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572
86947b00a3d61b82b6f752876404953ff3c39952f2b261988baf63fbbbd6d6ae
6730eb04edf45d590939d7ba36ca0d4f1d2f28a2692151e3c631e9f2d3612893
91.200.43.22
94.224.82.40
89.36.76.42
91.148.224.34
89.36.76.38
54.36.49.151
51.79.19.53
194.59.165.52
161.35.219.184
139.180.185.248
139.159.192.50
138.197.78.18
Attack Patterns
Muhstik
T1567
T1189
T1199
T1105
T1071
T1543
T1055
T1036
T1592
T1195
T1562
T1190
T1059
CVE-2023-33246