InfoSecBulletin Cybersecurity for mankind
Security researchers found that Apache RocketMQ services are being targeted by malicious activities. The vulnerabilities, known as CVE-2023-33246 and CVE-2023-37582, remain a serious threat even after the vendor released patches in May 2023.
Vulnerability Overview:
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
The CVE-2023-33246 affected different parts of RocketMQ, such as NameServer, Broker, and Controller. Rongtong Jin, a member of the Apache RocketMQ Project Management Committee, warned about a lasting flaw in the NameServer component of RocketMQ versions 5.1 and older.
The incomplete fix leaves a remote command execution vulnerability, allowing attackers to exploit the update configuration function on exposed NameServers without proper permission checks.
CVE-2023-37582: Unfinished Business:
The problem is the CVE-2023-37582, which is still critical. To prevent attacks, it’s recommended to upgrade NameServer to version 5.1.2/4.9.7 or higher for RocketMQ 5.x/4.x.
The ShadowServer Foundation’s threat intelligence shows a concerning trend: many hosts are actively scanning for online RocketMQ systems. There are exploitation attempts for both CVE-2023-33246 and CVE-2023-37582.
Threat Landscape:
The ShadowServer Foundation has found that there are many different types of threats online. Scanning activities could be used for planning attacks, taking advantage of vulnerabilities, or for genuine research purposes. Hackers have been involved since August 2023, at the same time as the DreamBus botnet started using a vulnerability to install XMRig Monero miners on weak servers.
“The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1,” reads a warning from Rongtong Jin, a member of the Apache RocketMQ Project Management Committee.
