home.social

#rocketmq — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #rocketmq, aggregated by home.social.

  1. "Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. softwaremill.com/mqperf/ Features and more

  2. 🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

    Key Points:

    Vulnerability Disclosure:

    • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

    Exploitation by DreamBus Botnet:

    • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

    Attack Timeline:

    • Attacks began in early June and peaked in mid-June.
    • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

    Reconnaissance and Malicious Activities:

    • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
    • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
    • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

    Technical Details:

    • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
    • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
    • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

    Malware Capabilities:

    • The malware can perform various functions like downloading other modules and sending notifications to the server.
    • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

    Implications:

    • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

    The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

    Indicators of Compromise (IoCs) for DreamBus Botnet:

    • IP and Servers:

      • 92[.]204.243.155: Download Server
      • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
    • Scripts and Miners:

      • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
      • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
    • DreamBus Bot Hashes:

      • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
      • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
      • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
      • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
      • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
      • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
      • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

    Source: blogs.juniper.net/en-us/threat

    #InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

  3. 🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

    Key Points:

    Vulnerability Disclosure:

    • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

    Exploitation by DreamBus Botnet:

    • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

    Attack Timeline:

    • Attacks began in early June and peaked in mid-June.
    • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

    Reconnaissance and Malicious Activities:

    • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
    • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
    • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

    Technical Details:

    • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
    • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
    • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

    Malware Capabilities:

    • The malware can perform various functions like downloading other modules and sending notifications to the server.
    • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

    Implications:

    • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

    The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

    Indicators of Compromise (IoCs) for DreamBus Botnet:

    • IP and Servers:

      • 92[.]204.243.155: Download Server
      • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
    • Scripts and Miners:

      • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
      • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
    • DreamBus Bot Hashes:

      • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
      • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
      • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
      • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
      • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
      • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
      • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

    Source: blogs.juniper.net/en-us/threat

    #InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

  4. 🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

    Key Points:

    Vulnerability Disclosure:

    • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

    Exploitation by DreamBus Botnet:

    • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

    Attack Timeline:

    • Attacks began in early June and peaked in mid-June.
    • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

    Reconnaissance and Malicious Activities:

    • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
    • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
    • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

    Technical Details:

    • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
    • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
    • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

    Malware Capabilities:

    • The malware can perform various functions like downloading other modules and sending notifications to the server.
    • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

    Implications:

    • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

    The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

    Indicators of Compromise (IoCs) for DreamBus Botnet:

    • IP and Servers:

      • 92[.]204.243.155: Download Server
      • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
    • Scripts and Miners:

      • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
      • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
    • DreamBus Bot Hashes:

      • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
      • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
      • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
      • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
      • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
      • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
      • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

    Source: blogs.juniper.net/en-us/threat

    #InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

  5. 🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

    Key Points:

    Vulnerability Disclosure:

    • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

    Exploitation by DreamBus Botnet:

    • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

    Attack Timeline:

    • Attacks began in early June and peaked in mid-June.
    • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

    Reconnaissance and Malicious Activities:

    • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
    • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
    • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

    Technical Details:

    • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
    • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
    • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

    Malware Capabilities:

    • The malware can perform various functions like downloading other modules and sending notifications to the server.
    • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

    Implications:

    • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

    The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

    Indicators of Compromise (IoCs) for DreamBus Botnet:

    • IP and Servers:

      • 92[.]204.243.155: Download Server
      • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
    • Scripts and Miners:

      • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
      • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
    • DreamBus Bot Hashes:

      • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
      • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
      • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
      • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
      • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
      • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
      • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

    Source: blogs.juniper.net/en-us/threat

    #InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

  6. 🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

    Key Points:

    Vulnerability Disclosure:

    • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

    Exploitation by DreamBus Botnet:

    • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

    Attack Timeline:

    • Attacks began in early June and peaked in mid-June.
    • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

    Reconnaissance and Malicious Activities:

    • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
    • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
    • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

    Technical Details:

    • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
    • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
    • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

    Malware Capabilities:

    • The malware can perform various functions like downloading other modules and sending notifications to the server.
    • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

    Implications:

    • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

    The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

    Indicators of Compromise (IoCs) for DreamBus Botnet:

    • IP and Servers:

      • 92[.]204.243.155: Download Server
      • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
    • Scripts and Miners:

      • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
      • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
    • DreamBus Bot Hashes:

      • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
      • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
      • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
      • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
      • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
      • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
      • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

    Source: blogs.juniper.net/en-us/threat

    #InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

  7. Exploitation of CVE-2023-33246 is real and happening. That's a CVSS 9.8 for RocketMQ.

    Bottom line up front, test your publicly exposed services for exploitability: github.com/Malayke/CVE-2023-33

    The test isn't perfect, we found that it produced a false negative against a vulnerable product (version 4.8) but it successfully identified others.

    TA performs scan and hits with test values, executes RCE to modify IP tables to allow SSH from attacking host (using what we believe are compromised vendor credentials - this part needs further investigation), and then hits host with a full fledged attack. Fairly thorough, we found two instances of persistence, aggressive log clean up and file clean up, and pretty decent techniques for hiding malicious commands.

    All for a fucking Monero miner.

    They knew what they were doing and knew this product inside and out. They knew how to try to disable protection (but couldn't on this host - shout out to Cybereason). There was no looking around, no enumeration. Just straight up scripted execution.

    If you're running #Yeastar - check your shit. You have #RocketMQ running and may not know it. If you're not, check anyways. The need for #SBOM for all is so goddamn real.

  8. Exploitation of CVE-2023-33246 is real and happening. That's a CVSS 9.8 for RocketMQ.

    Bottom line up front, test your publicly exposed services for exploitability: github.com/Malayke/CVE-2023-33

    The test isn't perfect, we found that it produced a false negative against a vulnerable product (version 4.8) but it successfully identified others.

    TA performs scan and hits with test values, executes RCE to modify IP tables to allow SSH from attacking host (using what we believe are compromised vendor credentials - this part needs further investigation), and then hits host with a full fledged attack. Fairly thorough, we found two instances of persistence, aggressive log clean up and file clean up, and pretty decent techniques for hiding malicious commands.

    All for a fucking Monero miner.

    They knew what they were doing and knew this product inside and out. They knew how to try to disable protection (but couldn't on this host - shout out to Cybereason). There was no looking around, no enumeration. Just straight up scripted execution.

    If you're running #Yeastar - check your shit. You have #RocketMQ running and may not know it. If you're not, check anyways. The need for #SBOM for all is so goddamn real.