Thursday, November 30, 2023

GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ

The GoTitan Botnet represents a critical cybersecurity threat, exploiting a vulnerability in Apache ActiveMQ. This botnet, which is Go-based, along with a .NET program known as PrCtrl Rat, enables remote attackers to gain control over infected hosts. The vulnerability being exploited is CVE-2023-46604, which involves the deserialization of untrusted data in Apache ActiveMQ. This vulnerability is a critical security flaw that affects any operating system running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

The exploit typically involves the attacker causing the system to unmarshal a class under their control by sending a crafted packet. This is achieved through the use of the OpenWire protocol, which establishes a connection with the vulnerable ActiveMQ server. The severity of this issue is high, as it allows remote attackers to gain control of the vulnerable systems, impacting any organization using the affected versions of Apache ActiveMQ.

Organizations using Apache ActiveMQ are advised to update to the latest versions that are not affected by this vulnerability to mitigate the risk of exploitation by the GoTitan Botnet and associated malware.

IoC

IPv4

  • 42.121.111.112
  • 199.231.186.249
  • 185.122.204.197
  • 173.214.167.155

SHA256

  • f75cb3e540b96cd54a966c512c854c832807e354772ae1a326b758394b01b607
  • f5a36570506bfaff60b684cd26dde3a64a3db4eaa9da78a1434cfd4b390ef3d5
  • ed09f95f4b4b482207bb300ff6ec15ed8ca5fdde97af02fa9fbe01adaaf7673b
  • dbf8ba47a5973c86fef32c2d696b09e1930a8384087c62ace1aa5c4084ee1a3f
  • d8f55bbbcc20e81e46b9bf78f93b73f002c76a8fcdb4dc2ae21b8609445c14f9
  • bfce7938591dd9fa3e1368d7eb86fc7f11e935349437fc11de4f124bbbc16dee

REFERENCES

  • https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq#:~:text=GoTitan%20Botnet%20,vulnerable%20systems%20Severity%20Level%3A%20Critical
  • https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html#:~:text=The%20recently%20disclosed%20critical%20security,remotely%20commandeering%20the%20infected%20hosts
  • https://cybersecuritynews.com/apache-activemq-vulnerability/#:~:text=GoTitan%20Botnet%20%E2%80%93%20Ongoing%20Exploitation,by%20sending%20a%20crafted%20packet
  • https://otx.alienvault.com/pulse/6567c0e6d66026b734340b59

TAGS

botnets, apache, cve202346604, gotitan, sliver, kinsing


at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...