Adrian Johnson
TLDR:
- Muhstik botnet exploits Apache RocketMQ vulnerability for DDoS attacks.
- Muhstik targets IoT devices and Linux-based servers for cryptocurrency mining.
The Muhstik botnet has been leveraging a security flaw in Apache RocketMQ to expand its distributed denial-of-service (DDoS) attacks. This botnet, known for targeting IoT devices and Linux-based servers, has a history of exploiting known vulnerabilities to spread malware. The latest vulnerability being exploited is CVE-2023-33246, a critical flaw in Apache RocketMQ that allows remote code execution. Once the vulnerability is exploited, the attacker can upload the Muhstik malware, which then allows for persistence on the host by copying the malware binary to multiple directories and editing system files.
The malware is designed to gather system metadata, move laterally to other devices, and establish contact with a command-and-control domain to receive instructions. With over 5,000 vulnerable instances of Apache RocketMQ still exposed online, organizations are urged to update to the latest version to mitigate potential threats. The botnet not only conducts DDoS attacks but is also involved in cryptocurrency mining activities, using compromised machines to mine cryptocurrency and consume electrical power. Additionally, poorly secured MS-SQL servers are being targeted by threat actors for various types of malware, emphasizing the importance of strong security measures and regular patching.
In conclusion, the Muhstik botnet poses a significant threat to vulnerable systems, highlighting the importance of proactive security measures and timely patching to prevent exploitation by malicious actors.
