The Kinsing threat actors recently started exploiting a critical security flaw in vulnerable Apache ActiveMQ servers (CVE-2023-46604). This strategic move allows them to infect Linux systems, deploying cryptocurrency miners and rootkits for illicit gains.
The Adaptable Kinsing Threat Group
Trend Micro security researcher Peter Girnus sheds light on the severity of the situation, explaining that once Kinsing infiltrates a system, it deploys a cryptocurrency mining script. This script leverages the host’s resources to mine cryptocurrencies like Bitcoin, causing substantial damage to the infrastructure and negatively impacting system performance.
Kinsing is no stranger to the cybersecurity realm, representing a Linux malware with a notorious history of targeting misconfigured containerized environments for cryptocurrency mining. The threat actors behind Kinsing are adept at utilizing compromised server resources to generate profits illicitly.
What sets Kinsing apart is its ability to adapt quickly. The group stays ahead of the curve by incorporating newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Recent reports highlight the threat actor’s attempts to exploit a Linux privilege escalation flaw called Looney Tunables, revealing their ongoing pursuit of infiltrating cloud environments.
Kinsing Now Exploiting CVE-2023-46604
The current campaign by Kinsing involves the exploitation of CVE-2023-46604, an actively exploited critical vulnerability in Apache ActiveMQ with a CVSS score of 10.0. This vulnerability allows remote code execution, enabling adversaries to download and install the Kinsing malware on compromised systems.
The subsequent steps involve retrieving additional payloads from an actor-controlled domain while simultaneously taking measures to terminate competing cryptocurrency miners already operating on the infected system.
To further solidify its persistence and compromise, Kinsing goes a step further by loading its rootkit in /etc/ld.so.preload, completing a full system compromise, according to Girnus.
In response to the ongoing exploitation of this critical flaw, organizations running affected versions of Apache ActiveMQ are strongly advised to update to a patched version promptly. This proactive measure is essential for mitigating potential threats and safeguarding against the destructive consequences of Kinsing’s cryptocurrency mining campaign.