Threat actors are actively exploiting a critical vulnerability in Apache ActiveMQ, known as CVE-2023-46604 [1]. This flaw allows for remote code execution and has been used to distribute multiple malware strains.
Description
One of the malware strains being distributed is the newly discovered GoTitan botnet, written in the Go programming language and downloaded from a malicious URL [4]. The GoTitan botnet targets x64 architectures and is still in its early stages of development, as indicated by a debug log file called “c.log”.
In addition to GoTitan, the ongoing exploits involve the use of the PrCtrl Rat, a remote access trojan that establishes contact with a command-and-control server for further commands and file operations [3]. The attacks also utilize the Sliver penetration testing tool, which can be misused by threat actors to compromise and control multiple targets [4].
Furthermore, the attacks have deployed a DDoS botnet called Ddostf, known for executing DDoS attacks and incorporating 13 attack methods. The Kinsing malware is also being used for cryptojacking operations. Kinsing specializes in cryptojacking [1], while Ddostf is a botnet used for Distributed Denial of Service (DDoS) attacks [1]. The attacks also involve a command-and-control framework named Sliver.
Despite a patch being issued by Apache, threat actors continue to exploit the CVE-2023-46604 vulnerability [2] [4] [5]. To mitigate the risk of exploitation [2], users are advised to prioritize system updates [2] [5], patching [1] [2] [4] [5], and regularly monitor security advisories [2] [5].
Conclusion
The ongoing exploitation of the CVE-2023-46604 vulnerability highlights the persistence and adaptability of threat actors. It is crucial for users to promptly apply patches and updates to protect their systems from these attacks. Regular monitoring of security advisories is also essential to stay informed about emerging threats and vulnerabilities. By taking these proactive measures, users can mitigate the risk of exploitation and safeguard their systems against future attacks.
References
[1] https://www.hackread.com/activemq-flaw-spread-gotitan-botnet-prctrl-rat/
[2] https://www.infosecurity-magazine.com/news/gotitan-botnet-prctrl-rat-exploit/
[3] https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html
[4] https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq
[5] https://flyytech.com/2023/11/29/gotitan-botnet-and-prctrl-rat-exploit-apache-vulnerability/