Critical Apache RocketMQ Flaw for RCE

Jun 12 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s blasting off to cyber-space πŸš€πŸš€πŸš€

Today’s hottest cybersecurity news stories:

  • πŸš€ Apache RocketMQ hit by Muhstik botnet πŸ€–

  • πŸ“ SASE Threat Report: Top tips for security πŸ”

  • πŸ€– AI-powered Recall recalled by Microsoft 🌐

Muh Muhstik brings all the bots to the yard 🍦🍧🍨

🚨 Muhstik Botnet Exploits Critical Apache RocketMQ Flaw for RCE 🐞

Security Alert! πŸ”πŸ›‘οΈ The Muhstik botnet is exploiting a critical vulnerability in Apache RocketMQ (CVE-2023-33246) to execute remote code, targeting Linux servers and IoT devices for Distributed Denial of Service (DDoS) attacks and cryptocurrency mining.

Key Details! πŸ§©πŸ”

Vulnerability: CVE-2023-33246, a critical flaw in Apache RocketMQ with a CVSS score of 9.8.

Targeted Systems: Linux servers and IoT devices.

Attack Vector: Remote code execution by forging RocketMQ protocol content or using the update configuration function.

Malware Capabilities! πŸ¦ πŸ”

  • System Metadata Collection: Gathers information about the infected system.

  • Lateral Movement: Spreads to other devices over SSH.

  • C2 Communication: Connects to a command-and-control domain using IRC to receive further instructions.

  • DDoS Attacks: Utilises compromised devices to overwhelm target network resources.

Urgent Actions Required! πŸ›‘οΈβš‘

  • Patch Systems: Over 5,000 Apache RocketMQ instances remain vulnerable. Organisations must update to the latest version immediately.

  • Secure MS-SQL Servers: Apply strong passwords and change them regularly to prevent brute-force attacks.

  • Adopt Best Practices: Move away from using outdated PHP CGI and implement secure alternatives like Mod-PHP, FastCGI, or PHP-FPM.

Expert Insights! πŸ§ πŸ’‘

"Muhstik is a notorious threat that exploits known vulnerabilities in web applications to propagate its malware," noted security researcher Nitzan Yaakov. "With the ability to bypass protections through minor features, this vulnerability highlights the need for robust security measures."

Ongoing Threats! πŸŒβš”οΈ

  • Crypto Mining Activity: Previous campaigns involving Muhstik have included cryptomining post-infection, leveraging the electrical power of compromised machines.

  • Brute-Force Attacks: The AhnLab Security Intelligence Center (ASEC) has reported that poorly secured MS-SQL servers are frequent targets for various malware types, including ransomware and remote access trojans.

Conclusion πŸŒŸπŸ”’

With the critical nature of CVE-2023-33246 and the active exploitation by the Muhstik botnet, it's imperative for organisations to act swiftly. Updating Apache RocketMQ to the latest version and securing MS-SQL servers are crucial steps in mitigating these risks.

Stay vigilant and protect your systems from this emerging threat! πŸŒπŸ›‘οΈ

Whatever you SASE 😬😬😬

🚨 Evolving Threat Landscape Calls for Comprehensive Cyber Threat Intelligence πŸ›‘οΈ

As cyber threats evolve, organisations need a unified approach to integrate insights from external data, inbound and outbound threats, and network activity for a complete cybersecurity posture.

Cato SASE Threat Report πŸ“ŠπŸ”’

Cato's Cyber Threat Research Lab (Cato CTRL) has released its first SASE threat report, offering in-depth insights into enterprise and network threats using the MITRE ATT&CK framework. The report draws from extensive data sources, including:

  • Data from 2,200+ customers.

  • 1.26 trillion network flows.

  • 21.45 billion blocked attacks.

What is Cato CTRL? πŸ•΅οΈβ€β™‚οΈ

Cato CTRL combines top human intelligence with comprehensive network and security insights, powered by Cato's AI-enhanced, global SASE platform.

Top 8 Findings:

AI Adoption πŸ€–

AI tools like Microsoft Copilot and OpenAI ChatGPT are widely adopted.

Hacker Forum Insights πŸ’¬

Hacker forums reveal trends such as enhanced tools using LLMs and services for fake credentials and deep fakes.

Brand Spoofing πŸ”

Brands like Booking, Amazon, and eBay are being spoofed for fraud.

Lateral Movement in Networks ↔️

Attackers exploit unsecured protocols:

  • 62% HTTP traffic.

  • 54% telnet traffic.

  • 46% SMB v1/v2 traffic.

Unpatched Systems Threat πŸ› οΈ

Unpatched systems, like those vulnerable to Log4J, remain significant threats.

Industry-Specific Exploits 🏭

Different industries face distinct threats, such as Endpoint Denial of Service and Credential Access exploitation.

Context in Threat Detection πŸ”

Contextual understanding and AI/ML algorithms are crucial for detecting suspicious activity.

Low DNSSEC Adoption 🌐

Despite its importance, DNSSEC adoption is only 1%.

Conclusion πŸ“–

For more detailed insights and to understand the broader threat landscape, read the full SASE Threat Report.

Stay informed, stay protected! πŸ›‘οΈ

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Recalling all cars! πŸ“’πŸ“’πŸ“’

🚨 Microsoft to Disable Controversial AI-Powered Recall Feature by Default πŸš«πŸ”

Microsoft announced it will disable the controversial AI-powered Recall feature by default and make it opt-in starting June 18, 2024, in response to significant backlash from the security and privacy community.

About Recall πŸ”Ž

  • What it does: Recall captures screenshots of users' screens every five seconds, creating an "explorable visual timeline" to surface relevant information.

  • Availability: Exclusively on Copilot+ PCs.

Controversy ⚠️

  • Privacy Concerns: Critics argue that Recall could expose sensitive information, such as documents and messages, making users vulnerable to malicious actors.

  • Negative Reactions: Security experts like WIRED's Andy Greenberg labelled Recall as "unrequested, pre-installed spyware," and Microsoft was criticised for secrecy during development.

Microsoft's Response πŸ’‘

User Control:

  • Users will have full control over Recall, with an option to opt out of saving screenshots.

Security Enhancements:

  • Biometric authentication via Windows Hello is required to enable Recall.

  • Encryption for the search index database.

  • Snapshots decrypted only upon user authentication.

Local Processing:

  • All Recall data is stored and processed locally on-device, not shared with external entities.

User Experience πŸ‘€

  • Opt-in Process: Users will go through a new setup process to enable Recall.

  • Visual Indicators: Recall will be pinned to the taskbar with a system tray icon indicating when snapshots are being saved.

Enterprise Controls πŸ•ΉοΈ

IT administrators in enterprise environments can disable Recall for managed devices, but cannot enable it.

Industry Reaction 🏭

Positive Steps: Security researcher Kevin Beaumont praised the move to make Recall opt-in, highlighting the importance of user choice to avoid potential security issues.

Microsoft's Commitment to Security πŸ”

  • The decision is part of Microsoft's broader Secure Future Initiative (SFI), emphasising security above other priorities.

  • CEO Satya Nadella stressed the importance of prioritising security in all aspects of Microsoft's operations.

  • Microsoft's reversal on Recall aims to address privacy and security concerns while gathering user feedback to refine the feature. For more details, read the full announcement from Microsoft.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles