Mastodawn

Oct 4, 2024

💡 Perfctl: una minaccia silenziosa ai server Linux

https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux

#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia

Perfctl: il malware stealth che minaccia i server Linux

Allarme sicurezza per i server Linux: Perfctl, il malware persistente che da tre anni sfida il rilevamento e compromette risorse attraverso il cryptomining

Gomoot : tecnologia e lifestyle Scopri le ultime novità in fatto di hardware,tecnologia e altro

Tomasz Nurkiewicz Aug 26, 2024

"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more

Evaluating persistent, replicated message queues

How do SQS, RabbitMQ, ActiveMQ Artemis, EventStore, Kafka, Pulsar, RedPanda, RocketMQ, PostgreSQL, NATS Streaming, Redis Streams and MongoDB compare when it comes to queueing?

Marcel SIneM(S)US Jan 10, 2024

Jetzt patchen! Attacken auf Messaging-Plattform Apache #RocketMQ | Security https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Messaging-Plattform-Apache-RocketMQ-9590555.html #Patchday

Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ

Angreifer scannen derzeit vermehrt nach verwundbaren RocketMQ-Servern. Sicherheitsupdates stehen bereit.

heise online

securityaffairs Sep 9, 2023

US CISA added critical #Apache #RocketMQ flaw to its Known Exploited Vulnerabilities catalog
https://securityaffairs.com/150551/hacking/cisa-apache-rocketmq-known-exploited-vulnerabilities-catalog.html
#securityaffairs #hacking

US CISA added critical Apache RocketMQ flaw to its Known Exploited Vulnerabilities catalog

US CISA added critical vulnerability CVE-2023-33246 in Apache RocketMQ to its Known Exploited Vulnerabilities catalog.

Security Affairs

🛡 [email protected]/:~#

Aug 29, 2023

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

Attacks began in early June and peaked in mid-June.
Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

The malware can perform various functions like downloading other modules and sending notifications to the server.
It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

IP and Servers:
- 92[.]204.243.155: Download Server
- ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
- 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
- 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
- 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
- 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
- e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
- 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
- 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
- 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
- 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability | Official Juniper Networks Blogs

In May 2023, a vulnerability affecting RocketMQ servers (CVE-2023-33246), which allows remote code execution, was publicly disclosed. In a recent blog post, Juniper Threat Labs provided a detailed explanation of

Official Juniper Networks Blogs

corbeaucrypto Jun 27, 2023

Exploitation of CVE-2023-33246 is real and happening. That's a CVSS 9.8 for RocketMQ.

Bottom line up front, test your publicly exposed services for exploitability: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT

The test isn't perfect, we found that it produced a false negative against a vulnerable product (version 4.8) but it successfully identified others.

TA performs scan and hits with test values, executes RCE to modify IP tables to allow SSH from attacking host (using what we believe are compromised vendor credentials - this part needs further investigation), and then hits host with a full fledged attack. Fairly thorough, we found two instances of persistence, aggressive log clean up and file clean up, and pretty decent techniques for hiding malicious commands.

All for a fucking Monero miner.

They knew what they were doing and knew this product inside and out. They knew how to try to disable protection (but couldn't on this host - shout out to Cybereason). There was no looking around, no enumeration. Just straight up scripted execution.

If you're running #Yeastar - check your shit. You have #RocketMQ running and may not know it. If you're not, check anyways. The need for #SBOM for all is so goddamn real.

GitHub - Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT: CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit

CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit - GitHub - Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT: CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit

GitHub