Kinsing Cyberattackers Target Apache ActiveMQ Flaw to Mine Crypto

The attackers behind the Kinsing malware are the latest to exploit the Apache ActiveMQ critical remote code execution (RCE) vulnerability, targeting the flaw to infect vulnerable Linux systems with a cryptocurrency miner.

Researchers from TrendMicro detected attackers exploiting the flaw — tracked as CVE-2023-46604 — to mine cryptocurrency, thus draining the resources from infected Linux systems. ActiveMQ is an open source protocol developed by the Apache Software Foundation (ASF) that implements message-oriented middleware (MOM).

"Once Kinsing infects a system, it deploys a cryptocurrency-mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance," TrendMicro researcher Peter Girnus wrote in a post published late Nov. 20.

The researchers also shed new light on the root cause of the vulnerability, which affects multiple versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. The flaw allows a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems.

ActiveMQ, written in Java, is an open-source protocol developed by Apache that implements message-oriented middleware (MOM). Its main function is to send messages between different applications, but it also includes additional features like STOMP, Jakarta Messaging (JMS), and OpenWire.

ASF first discovered the flaw on Oct. 27, and proof-of-concept exploit code soon followed. Though the foundation moved quickly to patch CVE-2023-46604, threat actors have wasted little time pouncing on the myriad systems that remain vulnerable.

High-Profile Opportunist

One of those threat groups, Kinsing, is already well-known for taking advantage of high-profile flaws to target Linux systems to mine cryptocurrency and commit other nefarious activity, according to Trend Micro.

Previous Kinsing campaigns include exploiting the "Looney Tunables" bug to steal secrets and data from Linux systems, and exploiting vulnerable images and weakly configured PostgreSQL containers in Kubernetes clusters to gain initial access to systems.

In its attack on ActiveMQ, the group uses public exploits that leverage the ProcessBuilder method to execute commands on affected systems to download and execute Kinsing cryptocurrency miners and malware on a vulnerable system, according to TrendMicro.

Kinsing's attack strategy is unique in that once it infects a system, it actively looks for competing crypto miners — such as those tied to Monero or ones that exploit Log4Shell and WebLogic vulnerabilities, Girnus noted.

"It then proceeds to kill their processes and network connections," he wrote. "Furthermore, Kinsing removes competing malware and miners from the infected host's crontab."

Once this is done, the Kinsing binary is then assigned a Linux environment variable and executed, after which Kinsing adds a cronjob to download and execute its malicious bootstrap script every minute. "This ensures persistence on the affected host and also ensures that the latest malicious Kinsing binary is available on affected hosts," Girnus wrote.

In fact, Kinsing doubles down on its persistence and compromise by loading its rootkit in /etc/ld.so.preload, "which completes a full system compromise," he added.

Root Cause and Mitigation

In their investigation, TrendMicro compared the patch to systems vulnerable to the flaw and found that its root cause is "an issue pertaining to the validation of throwable class types when OpenWire commands are unmarshalled," according to the post.

OpenWire is a binary protocol specifically designed for working with MOM to serve as the native wire format of ActiveMQ, a widely used open source messaging and integration platform. It's a preferred format due to its efficient use of bandwidth and its ability to support a wide range of message types.

The issue at the heart of the flaw is that validateIsThrowable method has been included in the BaseDataStreamMarshall class, which fails to validate the class type of a Throwable, or an object that represents exceptions and errors in Java. This can accidentally create and execute instances of any class, resulting in RCE vulnerabilities, Girnus said.

"Therefore, it is essential to ensure that the class type of a Throwable is always validated to prevent potential security risks," he wrote.

TrendMicro researchers, like other security experts, urged organizations using Apache ActiveMQ to take immediate action to patch the flaw, as well as mitigate any other risks associated with Kinsing.

"Given the malware's ability to spread across networks and exploit multiple vulnerabilities, it is important to maintain up-to-date security patches, regularly audit configurations, and monitor network traffic for unusual activity, all of which are critical components of a comprehensive cybersecurity strategy," Girnus wrote.