Yay .. the MV for the other single just dropped. Love! Happy Anniversary, Day6!

DAY6(데이식스) "꿈의 버스" (Dream Bus)
https://www.youtube.com/watch?v=hZ6pts6e8dI

#Day6 #DreamBus #TheDecade #NewMusic #KPop

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️