Executive Summary
CVE-2023-33246 is a critical remote code execution (RCE) vulnerability identified in Apache RocketMQ versions 5.1.0 and below. This vulnerability allows remote unauthenticated attackers to execute arbitrary commands on the affected system, potentially leading to full system compromise. The DreamBus botnet, a notorious Linux-based botnet, has been observed exploiting this vulnerability to gain initial access and deploy malicious payloads. This report provides a comprehensive analysis of the exploitation of CVE-2023-33246, detailing the methods used by threat actors, the payloads involved, and the mitigation strategies to protect against such attacks.
Technical Information
CVE-2023-33246 is a critical vulnerability in Apache RocketMQ versions 5.1.0 and below. The vulnerability arises due to the lack of permission verification in several components of RocketMQ, including NameServer, Broker, and Controller, which are exposed on the extranet. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
The vulnerability has a CVSS Score of 9.8 (Critical), with the vector being CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is remotely exploitable, requires low attack complexity, and does not require privileges or user interaction. The impact on confidentiality, integrity, and availability is high.
The DreamBus botnet has been observed leveraging this vulnerability to gain initial access and deploy malicious payloads. The botnet resurfaced in May 2023, targeting RocketMQ servers. The attacks reached a peak in volume towards mid-June 2023.
Exploitation in the Wild
The DreamBus botnet has been actively exploiting CVE-2023-33246 to compromise RocketMQ servers. The botnet uses a multi-stage attack process to achieve its objectives.
Attack Timeline
Early June 2023: Initial attacks targeting RocketMQ vulnerability were observed. June 19, 2023: A series of attacks involved downloading and executing a malicious bash script named "reketed".
Attack Methods
- Reconnaissance: Initial attacks were non-destructive, using the open-source reconnaissance tool "interactsh" to assess server vulnerabilities.
- Payload Delivery: Malicious actors used two methods to retrieve and execute the "reketed" bash script:
- Using the TOR proxy service "tor2web.in" to download the payload.
- Directly retrieving the payload from IP address 92[.]204.243.155 on port 8080.
Payload Analysis
Reketed Bash Script: The primary function is to download the DreamBus main module from a TOR hidden service. The script exhibits obfuscation techniques and assigns randomized names to functions and variables.
DreamBus Main Module: An ELF Linux binary packed with UPX, executing numerous base64 encoded strings that decode into bash scripts for various functions, including downloading other malicious modules.
Indicators of Compromise (IOCs)
Download Server: 92[.]204.243.155 .onion Download and Control Server: ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion Bash Script Downloader: 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047 XMRig Miner: 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d DreamBus Bot: 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443, 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2, e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d, 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f, 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c, 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417, 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f
APT Groups using this vulnerability
The DreamBus botnet is the primary threat actor observed exploiting CVE-2023-33246. This botnet is known for targeting Linux-based systems and deploying various malicious payloads, including cryptocurrency miners and other malware. The botnet has been active since at least 2020 and has resurfaced multiple times, adapting its tactics and techniques to exploit new vulnerabilities.
Affected Product Versions
The following versions of Apache RocketMQ are affected by CVE-2023-33246:
RocketMQ versions up to 5.1.0
Workaround and Mitigation
To mitigate this vulnerability, users are recommended to:
- Upgrade RocketMQ: Upgrade to version 5.1.1 or above for RocketMQ 5.x, or version 4.9.6 or above for RocketMQ 4.x.
- Network Segmentation: Ensure that RocketMQ components are not exposed to the internet and are accessible only within trusted network segments.
- Access Controls: Implement strict access controls and permission verification for RocketMQ components.
References
NVD - CVE-2023-33246 https://nvd.nist.gov/vuln/detail/CVE-2023-33246 DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability - Juniper Networks https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability RocketMQ RCE (CVE-2023-33246) - Vicarius https://www.vicarius.io/vsociety/posts/rocketmq-rce-cve-2023-33246-33247 Apache RocketMQ: CVE-2023-33246: Remote Command Execution - Rapid7 https://www.rapid7.com/db/vulnerabilities/apache-rocketmq-cve-2023-33246/ CVE-2023-33246 RocketMQ RCE Detect By Version and Exploit - GitHub https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT Exposing RocketMQ CVE-2023-33246 Payloads - VulnCheck https://vulncheck.com/blog/rocketmq-exploit-payloads Web Attack: RocketMQ RCE CVE-2023-33246 - Broadcom Inc. https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=34220 CVE-2023-33246: Critical RCE Vulnerability in Apache RocketMQ - Arctic Wolf https://arcticwolf.com/resources/blog/cve-2023-33246/
Rescana is here for you
At Rescana, we understand the critical importance of staying ahead of emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities in your environment. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your digital assets.
Comments