Apache RocketMQ Active Exploitation Campaign - 20240607002

Overview

Since the publication of Advisory 20230907001, an article has been published noting an increased amount of attacks targeting MS-SQL servers. These attacks use various types of malware, ranging from ransomware and remote access trojans to Proxyware. Further investigation found over 5000 vulnerable instances of Apache RocketMQ are still exposed to the internet.

What is vulnerable?

Product(s) Affected	CVE	Severity	CVSS
Apache RocketMQ up to (excluding) 5.1.1	CVE-2023-33246	Critical	9.8

Recommendation

The WA SOC recommends administrators apply the latest solutions as per vendor instructions to all affected devices within expected timeframe of 48 Hours... (refer Patch Management):

• https://rocketmq.apache.org/release-notes/

Additional Resources

• ASEC Publication: https://asec.ahnlab.com/en/66282/
• TheHackerNews article: https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html