thehackernews.com Open in urlscan Pro
104.26.11.117  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.google.com/cse

<form action="https://www.google.com/cse" id="searchform" method="get"><input autocomplete="off" id="s" name="q" placeholder="Search Here..." type="text">
  <input name="cx" type="hidden" value="partner-pub-7983783048239650:3179771210">
</form>

Name: f1 — POST https://inl02.netline.com/rssnews0001/

<form action="https://inl02.netline.com/rssnews0001/" class="clear cf" id="subform" method="post" name="f1" target="_blank">
  <div class="email-box-h3">Get Latest News in Your Inbox</div>
  <p>Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.</p>
  <div class="email-input">
    <input name="_submit" type="hidden" value="0001">
    <input id="brand" name="brand" type="hidden" value="thehackernews">
    <div class="e-book"><input checked="yes" id="opt_001" name="opt_001" type="checkbox" value="Y"><input checked="yes" id="opt_003" name="opt_003" type="checkbox" value="Y"></div><label class="visuallyhidden" for="input-email">Email</label><input
      class="text" id="input-email" name="email" placeholder="Your e-mail address" required="" type="email">
    <button aria-label="Subscribe" id="submitform" type="submit" value="Subscribe"></button>
  </div>
</form>

Text Content

#1 Trusted Cybersecurity News Platform

Followed by 4.50+ million  


 Subscribe – Get Latest News
 *  Home
 *  Newsletter
 *  Webinars

 * Home
 * Data Breaches
 * Cyber Attacks
 * Vulnerabilities
 * Webinars
 * Expert Insights
 * Contact





Resources
 * Webinars
 * THN Store
 * Free eBooks

About Site
 * About THN
 * Jobs
 * Advertise with us


Contact/Tip Us

Reach out to get featured—contact us to send your exclusive story idea,
research, hacks, or ask us a question or leave a comment/feedback!

Follow Us On Social Media
    
 RSS Feeds  Email Alerts  Telegram Channel



MUHSTIK BOTNET EXPLOITING APACHE ROCKETMQ FLAW TO EXPAND DDOS ATTACKS

Jun 06, 2024Ravie LakshmananBotnet / DDoS Attack
 * Muhstik botnet exploits a critical Apache RocketMQ flaw (CVE-2023-33246) for
   remote code execution, targeting Linux servers and IoT devices for DDoS
   attacks and cryptocurrency mining.
 * Infection involves executing a shell script from a remote IP, downloading the
   Muhstik malware binary ("pty3"), and ensuring persistence by copying to
   multiple directories and editing system files.
 * With over 5,000 vulnerable Apache RocketMQ instances still exposed,
   organizations must update to the latest version to mitigate risks, while
   securing MS-SQL servers against brute-force attacks and ensuring regular
   password changes.

The distributed denial-of-service (DDoS) botnet known as Muhstik has been
observed leveraging a now-patched security flaw impacting Apache RocketMQ to
co-opt susceptible servers and expand its scale.

"Muhstik is a well-known threat targeting IoT devices and Linux-based servers,
notorious for its ability to infect devices and utilize them for cryptocurrency
mining and launching Distributed Denial of Service (DDoS) attacks," cloud
security firm Aqua said in a report published this week.

First documented in 2018, attack campaigns involving the malware have a history
of exploiting known security flaws, specifically those relating to web
applications, for propagation.

The latest addition to the list of exploited vulnerabilities is CVE-2023-33246
(CVSS score: 9.8), a critical security flaw affecting Apache RocketMQ that
allows a remote and unauthenticated attacker to perform remote code execution by
forging the RocketMQ protocol content or using the update configuration
function.



Once the shortcoming is successfully abused to obtain initial access, the threat
actor proceeds to execute a shell script hosted on a remote IP address, which is
then responsible for retrieving the Muhstik binary ("pty3") from another server.

"After gaining the ability to upload the malicious payload by exploiting the
RocketMQ vulnerability, the attacker is able to execute their malicious code,
which downloads the Muhstik malware," security researcher Nitzan Yaakov said.

Persistence on the host is achieved by means of copying the malware binary to
multiple directories and editing the /etc/inittab file -- which controls what
processes to start during the booting of a Linux server -- to automatically
restart the process.

What's more, the naming of the binary as "pty3" is likely an attempt to
masquerade as a pseudoterminal ("pty") and evade detection. Another evasion
technique is that the malware is copied to directories such as /dev/shm,
/var/tmp, /run/lock, and /run during the persistence phase, which allows it to
be executed directly from memory and avoid leaving traces on the system.



Muhstik comes equipped with features to gather system metadata, laterally move
to other devices over a secure shell (SSH), and ultimately establish contact
with a command-and-control (C2) domain to receive further instructions using the
Internet Relay Chat (IRC) protocol.

The end goal of the malware is to weaponize the compromised devices to perform
different types of flooding attacks against targets of interest, effectively
overwhelming their network resources and triggering a denial-of-service
condition.

With 5,216 vulnerable instances of Apache RocketMQ still exposed to the internet
after more than a year of public disclosure of the flaw, it's essential that
organizations take steps to update to the latest version in order to mitigate
potential threats.



"Moreover, in previous campaigns, cryptomining activity was detected after the
execution of the Muhstik malware," Yaakov said. "These objectives go hand in
hand, as the attackers strive to spread and infect more machines, which helps
them in their mission to mine more cryptocurrency using the electrical power of
the compromised machines."

The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed
that poorly secured MS-SQL servers are being targeted by threat actors to
various types of malware, ranging from ransomware and remote access trojans to
proxyware.

"Administrators must use passwords that are difficult to guess for their
accounts and change them periodically to protect the database server from
brute-force attacks and dictionary attacks," ASEC said. "They must also apply
the latest patches to prevent vulnerability attacks."




Found this article interesting? Follow us on Twitter  and LinkedIn to read more
exclusive content we post.

SHARE    
Tweet
Share
Share
Share
 Share on Facebook Share on Twitter Share on Linkedin Share on Reddit
Share on Hacker News Share on Email Share on WhatsApp Share on Facebook
Messenger Share on Telegram
SHARE 
Apachebotnetcryptocurrencyddosddos protectionMalwareRemote Access Trojanremote
code executionVulnerability
Trending News
5 Must-Have Tools for Effective Dynamic Malware Analysis
LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global
Effort
Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors
Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password
Vulnerability
New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries
Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and
Proxyjacking
Microsoft Detects Growing Use of File Hosting Services in Business Email
Compromise Attacks
WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks
Popular Resources
CTEM Guide: How to Take Control of Your Cybersecurity Exposures
Unlock 5 Key Tactics to Fight Ransomware – Download Free Report
Get the Ultimate Guide to Service Account Protection
Get Expert Cyber Insights Every Month – Subscribe to GIAC Newsletter


CYBERSECURITY WEBINARS

🚨 Advanced Identity Attacks


LEARN HOW LUCR-3 HIJACKS YOUR CLOUD IN HOURS

LUCR-3 is exploiting cloud vulnerabilities at an alarming rate. Join our webinar
to learn how to protect your SaaS and cloud environments.

Claim Your Spot 🔐 Eliminate Shadow Data Risks


LEARN PROACTIVE DSPM TACTICS

Learn how Global-e's CISO used DSPM to eliminate shadow data risks and protect
critical information.

Register for Free
Breaking News

Cybersecurity Resources
[New] Software Supply Chain Security for Dummies
Understand the why, the how - and what actions your organization should take -
in the new era of security
ThreatLabz 2024 Ransomware Report
ThreatLabz uncovers largest ransomware payout in history, plus a 17.8% increase
in attacks.
Unlocking SIEM: The Role of Smart Filtering
Huntress Managed SIEM is everything you need, nothing you don't — smart
filtering for security data, constant monitoring, and compliance assistance—all
at a clear, predictable price.
Subscribe Today: Cyber Insights, Certifications, and More
Monthly newsletter keeping you informed and equipped for the evolving landscape
of cybersecurity.
Expert Insights / Articles Videos


WILL THE SMALL IOT DEVICE OEM SURVIVE?

October 07, 2024 Read ➝


SECURITY OPERATIONS FOR NON-HUMAN IDENTITIES

September 28, 2024 Watch ➝


THE MICROSOFT 365 BACKUP GAME JUST CHANGED: RANSOMWARE RECOVERY REVOLUTIONIZED

September 19, 2024 Read ➝


HOW DOES THREAT INTELLIGENCE APPLY TO SAAS SECURITY? AND WHY YOU SHOULD CARE

September 16, 2024 Read ➝

Get Latest News in Your Inbox

Get the latest news, expert insights, exclusive resources, and strategies from
industry leaders – all for free.


Email

Connect with us!

925,500 Followers

601,000 Followers

22,700 Subscribers

147,000 Followers

1,890,500 Followers

132,000 Subscribers
Company
 * About THN
 * Advertise with us
 * Contact

Pages
 * Webinars
 * Deals Store
 * Privacy Policy

Deals
 * Hacking
 * Development
 * Android

 RSS Feeds
 Contact Us
© The Hacker News, 2024. All Rights Reserved.