BleepingComputer reports that ongoing attacks involving a new DreamBus botnet malware version have been targeting RocketMQ servers vulnerable to the critical remote code execution flaw, tracked as CVE-2023-33246, since June.
RocketMQ servers' default 10911 port and seven other ports were initially targeted by DreamBus attacks exploiting the flaw in early June before attacks spiked in the middle of the month, according to a report from Juniper Threat Labs.
After leveraging the open-source reconnaissance "interactsh" to conduct server vulnerability assessments, attackers proceeded to download the malicious bash script "reketed," which facilitated DreamBus module downloading and installation.
Further examination revealed that the DreamBus module not only downloads the XMRig Monero miner and executes bash scripts but also enables lateral spread and vulnerability scanning. Moreover, threat actors could further strengthen the DreamBus campaign to conduct more varied attacks, said researchers, who urged for the immediate update of RocketMQ servers to versions 5.1.1 or later.
