#rocketmq — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #rocketmq, aggregated by home.social.
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
💡 Perfctl: una minaccia silenziosa ai server Linux
https://gomoot.com/perfctl-una-minaccia-silenziosa-ai-server-linux
#aqua #aquasecteam #blog #cve #linux #malware #news #picks #polkit #rocketmq #server #sicurezza #stealth #tech #tecnologia
-
"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more
-
"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more
-
"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more
-
"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more
-
"Evaluating persistent, replicated message queues" mega article by @adamwarski et. al. is pure gold. https://softwaremill.com/mqperf/ Features #Kafka #PostgreSQL #mongodb #Redis #Pulsar #NATS #SQS #RocketMQ #RabbitMQ #ActiveMQ #RedPanda and more
-
Jetzt patchen! Attacken auf Messaging-Plattform Apache #RocketMQ | Security https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Messaging-Plattform-Apache-RocketMQ-9590555.html #Patchday
-
Jetzt patchen! Attacken auf Messaging-Plattform Apache #RocketMQ | Security https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Messaging-Plattform-Apache-RocketMQ-9590555.html #Patchday
-
Jetzt patchen! Attacken auf Messaging-Plattform Apache #RocketMQ | Security https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Messaging-Plattform-Apache-RocketMQ-9590555.html #Patchday
-
🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.
Key Points:
Vulnerability Disclosure:
- In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.
Exploitation by DreamBus Botnet:
- Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.
Attack Timeline:
- Attacks began in early June and peaked in mid-June.
- Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.
Reconnaissance and Malicious Activities:
- Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
- From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
- Two methods were used for payload retrieval: TOR proxy service and a specific IP address.
Technical Details:
- The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
- Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
- The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.
Malware Capabilities:
- The malware can perform various functions like downloading other modules and sending notifications to the server.
- It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.
Implications:
- The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.
The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.
Indicators of Compromise (IoCs) for DreamBus Botnet:
IP and Servers:
92[.]204.243.155: Download Serverru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e694170a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
-
🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.
Key Points:
Vulnerability Disclosure:
- In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.
Exploitation by DreamBus Botnet:
- Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.
Attack Timeline:
- Attacks began in early June and peaked in mid-June.
- Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.
Reconnaissance and Malicious Activities:
- Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
- From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
- Two methods were used for payload retrieval: TOR proxy service and a specific IP address.
Technical Details:
- The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
- Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
- The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.
Malware Capabilities:
- The malware can perform various functions like downloading other modules and sending notifications to the server.
- It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.
Implications:
- The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.
The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.
Indicators of Compromise (IoCs) for DreamBus Botnet:
IP and Servers:
92[.]204.243.155: Download Serverru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e694170a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
-
🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.
Key Points:
Vulnerability Disclosure:
- In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.
Exploitation by DreamBus Botnet:
- Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.
Attack Timeline:
- Attacks began in early June and peaked in mid-June.
- Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.
Reconnaissance and Malicious Activities:
- Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
- From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
- Two methods were used for payload retrieval: TOR proxy service and a specific IP address.
Technical Details:
- The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
- Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
- The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.
Malware Capabilities:
- The malware can perform various functions like downloading other modules and sending notifications to the server.
- It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.
Implications:
- The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.
The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.
Indicators of Compromise (IoCs) for DreamBus Botnet:
IP and Servers:
92[.]204.243.155: Download Serverru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e694170a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
-
🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.
Key Points:
Vulnerability Disclosure:
- In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.
Exploitation by DreamBus Botnet:
- Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.
Attack Timeline:
- Attacks began in early June and peaked in mid-June.
- Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.
Reconnaissance and Malicious Activities:
- Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
- From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
- Two methods were used for payload retrieval: TOR proxy service and a specific IP address.
Technical Details:
- The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
- Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
- The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.
Malware Capabilities:
- The malware can perform various functions like downloading other modules and sending notifications to the server.
- It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.
Implications:
- The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.
The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.
Indicators of Compromise (IoCs) for DreamBus Botnet:
IP and Servers:
92[.]204.243.155: Download Serverru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e694170a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
-
🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.
Key Points:
Vulnerability Disclosure:
- In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.
Exploitation by DreamBus Botnet:
- Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.
Attack Timeline:
- Attacks began in early June and peaked in mid-June.
- Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.
Reconnaissance and Malicious Activities:
- Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
- From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
- Two methods were used for payload retrieval: TOR proxy service and a specific IP address.
Technical Details:
- The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
- Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
- The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.
Malware Capabilities:
- The malware can perform various functions like downloading other modules and sending notifications to the server.
- It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.
Implications:
- The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.
The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.
Indicators of Compromise (IoCs) for DreamBus Botnet:
IP and Servers:
92[.]204.243.155: Download Serverru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server
Scripts and Miners:
1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner
DreamBus Bot Hashes:
601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e694170a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
-
Exploitation of CVE-2023-33246 is real and happening. That's a CVSS 9.8 for RocketMQ.
Bottom line up front, test your publicly exposed services for exploitability: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT
The test isn't perfect, we found that it produced a false negative against a vulnerable product (version 4.8) but it successfully identified others.
TA performs scan and hits with test values, executes RCE to modify IP tables to allow SSH from attacking host (using what we believe are compromised vendor credentials - this part needs further investigation), and then hits host with a full fledged attack. Fairly thorough, we found two instances of persistence, aggressive log clean up and file clean up, and pretty decent techniques for hiding malicious commands.
All for a fucking Monero miner.
They knew what they were doing and knew this product inside and out. They knew how to try to disable protection (but couldn't on this host - shout out to Cybereason). There was no looking around, no enumeration. Just straight up scripted execution.
If you're running #Yeastar - check your shit. You have #RocketMQ running and may not know it. If you're not, check anyways. The need for #SBOM for all is so goddamn real.
-
Exploitation of CVE-2023-33246 is real and happening. That's a CVSS 9.8 for RocketMQ.
Bottom line up front, test your publicly exposed services for exploitability: https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT
The test isn't perfect, we found that it produced a false negative against a vulnerable product (version 4.8) but it successfully identified others.
TA performs scan and hits with test values, executes RCE to modify IP tables to allow SSH from attacking host (using what we believe are compromised vendor credentials - this part needs further investigation), and then hits host with a full fledged attack. Fairly thorough, we found two instances of persistence, aggressive log clean up and file clean up, and pretty decent techniques for hiding malicious commands.
All for a fucking Monero miner.
They knew what they were doing and knew this product inside and out. They knew how to try to disable protection (but couldn't on this host - shout out to Cybereason). There was no looking around, no enumeration. Just straight up scripted execution.
If you're running #Yeastar - check your shit. You have #RocketMQ running and may not know it. If you're not, check anyways. The need for #SBOM for all is so goddamn real.