Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 21, 2023NewsroomLinux / Rootkit

Vulnerability in Apache ActiveMQ

the Kinsing Threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits.

“Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host’s resources to mine cryptocurrencies such as Bitcoin, resulting in significant infrastructure damage and negative performance impacts system,” Trend Micro security researcher Peter Girnus SAYS.


Kinsing refers to a Linux malware that has a history of targeting misconfigured containerized environments for cryptocurrency mining, often using compromised server resources to generate illicit profits for threat actors.

The group is also known to quickly adapt its tactics to include newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Earlier this month, Aqua disclosed threat actor attempts to exploit a Linux privilege escalation flaw called Looney Tunables to infiltrate cloud environments.

Vulnerability in Apache ActiveMQ

The latest campaign involves exploiting CVE-2023-46604 (CVSS score: 10.0), an actively exploited critical vulnerability in Apache ActiveMQ that enables remote code execution, allows an adversary to download and installation of Kinsing malware.

This was followed by extracting additional payloads from a domain controlled by the actor while simultaneously taking steps to terminate competing cryptocurrency miners already running on the infected system.


“Kinsing doubles his persistence and compromise by loads its rootkit in /etc/, which completes a full system compromise,” Girnus said.

Due to continued exploitation of the flaw, organizations running affected versions of Apache ActiveMQ are recommended to update to a patched version as soon as possible to mitigate potential threats.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment