What is the DreamBus botnet?

The DreamBus botnet is known for exploiting a recently patched vulnerability in Apache RocketMQ to deploy a cryptocurrency miner on compromised systems.

What is Apache RocketMQ?

Apache RocketMQ is a widely used platform for distributed messaging and streaming, running on various custom products including networking equipment.

When were attacks leveraging CVE-2023-33246 observed?

Attacks leveraging CVE-2023-33246 were identified by Juniper Networks in early June, peaking later that month; these attacks were attributed to the DreamBus botnet.

What is the strategy of the attackers?

The attackers sought out vulnerable RocketMQ servers to disseminate a malicious bash script, downloading the main component of the DreamBus malware, which can execute bash scripts and deploy various malicious software.

What is DreamBus malware?

DreamBus is a strain of Linux malware that resurfaced in 2023; it aims to install a Monero cryptocurrency miner and has the capability to execute bash scripts for diverse cyberattacks.

DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine Cryptocurrency

Q: What is CVE-2023-33246?

CVE-2023-33246 is a vulnerability in Apache RocketMQ that allows unauthorized attackers to remotely execute commands; it was classified as 'critical' and was patched in RocketMQ version 5.1.1.

published: Aug. 31, 2023

Take action: Time to run an inventory on your systems and check if any are using RocketMQ. Every one of these systems that's exposed to the internet is a high priority for patching, so chase down the vendor for an updated version. Or lock down the system in an internal network until a patch is available.

Learn More

DreamBus botnet has been observed exploiting a recently patched vulnerability in Apache RocketMQ. The primary objective of these attacks is to deploy a cryptocurrency miner onto compromised systems.

Apache RocketMQ serves as a widely utilized platform for distributed messaging and streaming, that runs on a lot of custom products including some networking equipment. The vulnerability is tracked as CVE-2023-33246. This vulnerability came to public attention in late May when RocketMQ version 5.1.1 was issued to address the security flaw. The severity of CVE-2023-33246 has been classified as 'critical', enabling unauthorized attackers to remotely execute commands.

In June, comprehensive details and proof-of-concept (PoC) exploits for the vulnerability was published and real-world exploitation quicklu followed.

Juniper Networks reported that they identified attacks leveraging CVE-2023-33246 as starting in early June, reaching a peak later that month, and attributing these attacks to the DreamBus botnet.

The attackers' strategy involved seeking out vulnerable RocketMQ server and disseminate a malicious bash script intended to download the main component of the DreamBus malware. DreamBus is a strain of Linux malware that initially surfaced in early 2019, had remained dormant since 2021 until its recent resurgence.

Although the central goal of the DreamBus threat actors continues to be the installation of a Monero cryptocurrency miner, the versatile nature of the DreamBus malware, equipped with the ability to execute bash scripts, grants the cybercriminals the potential to diversify their attacks. Juniper underscores this point by noting that the malware could potentially be employed for deploying a range of other malicious software.

DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine Cryptocurrency

Read More
Microsoft SQL servers under attack, used to deploy …
ColdFusion Vulnerability Actively Attacked
JetBrains TeamCity vulnerability exploited by state sponsored hackers
Hackers try to inject password stealing code in …
Active credential harvesting attack on unpatched Citrix NetScaler