Attacks aimed at vulnerable Apache RocketMQ servers underway
Bleeping Computer – Bill Toulas
Security researchers have observed a significant increase in attempts to exploit the Apache RocketMQ service’s vulnerabilities (CVE-2023-33246 and CVE-2023-37582).
Despite an initial patch from Apache in May 2023, these vulnerabilities continue to be actively exploited.
The CVE-2023-33246 flaw specifically pertains to the NameServer component, allowing attackers to execute commands using the update configuration function when the server’s address is exposed online without proper permission verification.
The incomplete fix for this vulnerability has led to its preservation within Apache RocketMQ version 5\)1\)1\) As a result, the issue has been re-designated as CVE-2023-37582\) To mitigate the risk, it is recommended to upgrade NameServer to version 5\)1\)2/4\)9\)7 or above for RocketMQ 5\)x/4\)x.
The ShadowServer Foundation has documented numerous instances of hosts scanning for exposed RocketMQ systems, potentially leading to exploitation.
This activity has been linked to reconnaissance attempts, exploitation efforts, and scanning activities.
Notably, cybercriminals have been targeting vulnerable Apache RocketMQ systems since August 2023, with the DreamBus botnet utilizing the CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.
Additionally, the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in September 2023, urging federal agencies to patch the flaw promptly due to its active exploitation.
Link: https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/