Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)

SUMMARY :

The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ vulnerability to execute remote commands, installing downloaders, and using tools like CobaltStrike, Meterpreter, and PowerShell Empire to control infected systems. The actor's main objectives include cryptocurrency mining, information theft, and potential ransomware installation. The vulnerability has also been exploited by other groups such as Andariel, HelloKitty, and Mauri ransomware. Organizations are advised to apply security updates to mitigate the risk.

OPENCTI LABELS :

vulnerability exploitation,cobaltstrike,meterpreter,cryptocurrency mining,cve-2023-46604,xmrig,sharpire,activemq,h2miner,powershell empire


AI COMMENTARY :

1. The recent Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing) highlights a dangerous trend in vulnerability exploitation against enterprise messaging platforms. The focus of this campaign is CVE-2023-46604 in ActiveMQ, a flaw that allows unauthenticated remote command execution on vulnerable Linux and Windows servers. Attackers leverage this weakness to gain an initial foothold and bypass security controls by injecting malicious payloads targeting both operating systems using h2 database endpoints within ActiveMQ.

2. Once the vulnerability is exploited, the threat actor deploys a series of downloaders and stagers to establish persistent access. These preliminary stages download secondary tools such as h2miner miners and XMRig for cryptocurrency mining as well as stager scripts that facilitate the retrieval of the Sharpire implant. The Kinsing group orchestrates the download process with tailored scripts that contact public or compromised web servers hosting the payloads.

3. The main payload, Sharpire, is installed to maintain stealthy remote control. Sharpire functions as a hybrid backdoor and downloader capable of fetching additional modules. In parallel, XMRig and h2miner mine Monero or other cryptocurrencies on infected hosts, maximizing the attackers’ profits while evading detection by consuming minimal system resources.

4. To further exploit compromised systems, the adversary integrates commercial and open source post exploitation frameworks. CobaltStrike is leveraged for command and control, while Meterpreter shells provide interactive session management. The intrusion chain also includes PowerShell Empire scripts that automate reconnaissance, credential harvesting, and lateral movement. This combination of techniques underscores a multi-vector approach to maximize impact.

5. The objectives of this threat operation are threefold. First, cryptocurrency mining operations generate illicit revenue through XMRig and h2miner. Second, the attacker exfiltrates sensitive data for further monetization or espionage. Third, the environment may be prepared for a later ransomware deployment, increasing the potential damage and extortion leverage against the victim organization.

6. It is important to note that CVE-2023-46604 in ActiveMQ has been weaponized by other criminal groups including Andariel, HelloKitty, and the Mauri ransomware gang. This widespread exploitation underscores the urgency for defenders to apply security patches, implement network segmentation, and monitor for indicators of compromise associated with vulnerability exploitation and PowerShell Empire activity.

7. Organizations are advised to prioritize patch management to remediate CVE-2023-46604 on all instances of ActiveMQ. Additional hardening measures include disabling unnecessary database endpoints, enforcing strict access controls, and deploying threat detection solutions tuned for signs of CobaltStrike beacons, Meterpreter traffic, and unauthorized downloaders. By proactively addressing these vulnerabilities, defenders can disrupt the Kinsing attack chain and protect critical infrastructure.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)