RocketMQ Exploit Attack Demo
Why RocketMQ is vulnerable, and how to fix it.
First, the bad news: Since May 2023, threat actors have been exploiting a vulnerability in RocketMQ to deploy vicious malware. The good news? Juniper Advanced Threat Prevention (ATP) can help stop bad actors in their tracks. Tune into this episode of Juniper Threat Labs for a hands-on demo that shows you exactly how.
Protect yourself: Watch additional security demos.
You’ll learn
How the attack chain works, and how remote attackers manipulate RocketMQ
How Juniper ATP Cloud detects this malware using machine learning based on static and behavioral analysis
Who is this for?
Next in the series
Transcript
0:00 welcome to the Juniper threat Labs
0:02 attack demo Series in this demo we will
0:06 be talking about Racket mq and examine
0:09 how threat actors exploit it and deploy
0:11 a Linux
0:13 malware following that we'll show you
0:16 how Juniper customers can be protected
0:18 throughout the attack
0:21 chain in May
0:23 2023 a vulnerability affecting rocket mq
0:26 servers which allows remote code
0:29 execution was publicly
0:31 disclosed shortly after that in early
0:35 June Juniper treat Labs began seeing
0:37 attacks targeting this
0:40 vulnerability the attacks installed a
0:43 malicious Linux binary file dabbed as
0:46 dream bass bot which is capable of
0:48 downloading and installing other modules
0:51 including a spreader a miner as well as
0:54 update itself it was also observed in
0:58 other news that multiple TR actors are
1:01 exploiting this vulnerability this
1:03 prompted the cyber security and
1:05 infrastructure Security Agency to
1:08 release an advisory warning regarding
1:10 this
1:11 vulnerability let's understand the
1:13 attack chain this vulnerability enables
1:17 a remote unauthenticated attacker to
1:19 manipulate the racket mq broker
1:22 configuration in order to abuse a
1:24 command injection as detailed in junor
1:26 threat lab's blog one of the threat
1:28 actors l Lage this vulnerability to
1:32 deploy the dream bass bot dream bass is
1:34 capable of updating itself as well as
1:37 installing other components such as a
1:39 spreader module and a Monero
1:42 Miner with that let's dive into the
1:45 simulation of this
1:49 attack let's assume that this C Linux is
1:52 the attacker's
1:54 [Music]
1:56 machine our Target victim has an IP
1:59 address
2:00 192.168
2:03 20637 we first run the python script
2:06 check. py to verify whether This Server
2:10 is
2:15 vulnerable after verifying that the
2:18 server is vulnerable we can now proceed
2:20 with our
2:22 attack for this demo we will be using a
2:25 payload that will download dream bassbot
2:28 via curl into the target server temp
2:32 directory we will host grebas bot in the
2:35 same Cen Linux
2:46 [Music]
2:50 machine after launching the attack
2:53 shortly we saw a get request on our coli
2:55 machine to download dream buas
2:58 bot
3:06 [Music]
3:09 we can confirm the successful
3:11 exploitation by going to our victim
3:13 machine and listing the file we can also
3:16 check in virus total that the file is
3:19 indeed
3:23 [Music]
3:28 malicious
3:33 [Music]
3:35 let's now look and see whether or not
3:38 this attack works as successfully with
3:40 the Juniper SRX firewall enhanc with
3:43 protection from Juniper's cloud-based
3:45 Advanced antimalware solution Juniper
3:48 ATP for the demo Juniper trat Labs is
3:52 using the following setup we have a vsrx
3:55 pictured in the center the vsrx is a
3:58 virtual SRX for firewall providing
4:01 network security protection its purpose
4:03 is to inspect Network traffic and with
4:05 the assistance of juniper ATP Cloud to
4:08 detect malware like dream buas but in
4:11 addition to the virtual firewall and
4:13 cloud-based protections we are using
4:15 Juniper security director which is a
4:18 centralized management system it is used
4:21 to facilitate our configuring and
4:23 monitoring of the vrx firewall and we
4:26 are using Juniper's policy enforcer as
4:28 well Juniper policy enforcer enforces
4:31 security policies on endpoints and
4:33 ensures they comply with corporate
4:35 security standards we also have several
4:38 Windows
4:39 workstations Each of which is connected
4:42 to the vsrx finally we have an abun
4:45 server acting as the malware download
4:48 server before we proceed with our
4:50 attempt to execute the attack using
4:52 Juniper connected Security Solutions
4:54 let's first examine the various policies
4:56 we've configured within our security
4:59 directory and appli to the vsrx for this
5:02 demonstration we've set up an IPS policy
5:05 to detect the exploit and a threat
5:07 prevention policy to detect and block
5:09 the payload to access the IPS policy
5:13 navigate to the configure Tab and select
5:16 IPS
5:17 policy you'll see that we have an
5:20 existing policy named racket mq policy
5:24 drop this policy is configured to
5:26 include the IPS signature the specific
5:29 Bally detecting the rocket mq exploit
5:32 and it's set to drop any Pockets
5:34 associated with the
5:36 exploit moving on to the threat
5:39 prevention policy select threat
5:41 prevention under the configure tab
5:44 you'll notice that we also have an
5:46 existing policy in
5:48 place let's further inspect the
5:50 protections being enforced by the
5:52 applied
5:54 policy for this demo our policies are
5:57 configured to block command and control
5:59 control traffic at Threat Level 8 and
6:02 above we've also set it up to block
6:05 infected hosts at Threat Level 8 and
6:08 above additionally we've configured our
6:11 policy to use ATP cloud from malware
6:14 detection and as you can see we've
6:16 elected to scan HTTP downloads and block
6:19 threats at level 7 and above this threat
6:23 prevention policy implied to the Juniper
6:25 vsrx firewall is a critical component of
6:28 our defenses
6:29 protecting our systems against malware
6:32 related attacks it not only detects and
6:35 blocks malicious traffic but also
6:37 prevents potentially infected hosts from
6:39 spreading malware across our Network
6:42 should one of our systems gets
6:44 compromised to show you that these
6:45 policies are applied to our vsrx
6:48 navigate to firewall policy and select
6:51 unified policies our SRX device labeled
6:54 as jz-
6:56 cs-40 is configured to use both the the
6:59 IPS policy and the threat prevention
7:01 policy we configured earlier with that
7:04 let's now proceed on launching the
7:05 attack with juniper connected Security
7:07 in place to start we SSH to our attacker
7:11 machine our Target server has an IP
7:14 address 10.
7:17 0.1.4 from this SSH session we initiate
7:20 the attack using a python script and a
7:23 payload to download a Dream bassbot from
7:25 our malware download server at 192.168
7:28 71 51 which is also the attackers
7:31 machine we run the script and press
7:35 [Music]
7:36 enter so what
7:39 happened Juniper SRX through its IPS
7:43 detected the attack and dropped the
7:45 pocket to confirm this we access our
7:48 security director navigate to Monitor
7:51 and select events and logs followed by
7:56 IPS there we find an IDP attack log
8:00 event clicking more and show event
8:03 details provides information about the
8:05 source IP attack name policy name
8:09 destination ipn port and the action
8:13 taken additionally on the target server
8:16 we observe no HTTP pocket confirming the
8:20 attacks
8:22 failure next we want to test whether a
8:24 threat prevention policy can detect
8:27 malware to do this we reconfigure our
8:30 IPS policy to log the attack but not
8:33 drop the
8:34 pocket we've created a new IPS policy
8:37 named rocket mq policy no
8:41 action upon inspecting this policy
8:43 you'll notice that it includes the IBS
8:46 signature to detect the rocket mq
8:48 exploit but the action is set to no
8:52 action to apply this new policy to our
8:55 vsrx return to unified policies under
8:58 fir
8:59 policy go to the rules select the IPS
9:03 policy and use bracket mq policy no
9:09 action we will still use the same threat
9:12 prevention policy we have configured
9:14 earlier click okay save the changes and
9:18 publish this updated policy to our vsrx
9:28 device
9:35 with the policy adjustments made we
9:38 relaunch the
9:41 [Music]
9:47 talk W shark captures an HTTP get
9:50 request for dream bass
9:52 bot however inspecting the TCP stream
9:55 reveals that the SRX has blocked
9:58 response
9:59 due to possible malware
10:02 detection the exploit successfully reach
10:05 a rent point but the payload to download
10:07 brabas malware was
10:12 blocked we can confirm that when we go
10:14 back to our security
10:21 director and we can see that we have an
10:23 IDP attack lag event showing that we
10:27 detected the exploit selecting ATP Cloud
10:30 shows Advanced anti- malware action
10:36 log clicking Show event details provides
10:40 information like the source IP
10:42 destination IP and Port policy name
10:46 action taken and the
10:51 URL further details about this malicious
10:54 file can be found under threat
10:56 prevention by clicking on H HTTP file
11:01 download here the file dream bus bot is
11:04 detected at Threat Level
11:07 8 clicking on the hash reveals
11:10 additional information including
11:12 behavioral analysis network activity and
11:15 behavioral
11:20 details now we click on ATP Cloud hosts
11:24 note that while the attack was
11:26 unsuccessful recall that the security
11:29 policy being enforced on the vsrx locks
11:32 the host network activity when threats
11:35 at level 8 and above are detected in our
11:38 case our host Threat Level is now
11:41 categorized as nine due to the malicious
11:43 activity detected as a result this host
11:47 is now included in the infected host
11:49 feed what this means is that this host
11:51 10.
11:53 0.140 is now isolated and disconnected
11:56 from the network temporarily
11:59 clicking at this host provides us with
12:01 more details on why it is blocked which
12:04 in this case the host attempted to
12:07 download a malicious file we can confirm
12:10 that this host is disconnected as we
12:12 cannot ping or connect via rdps
12:15 [Music]
12:26 before once the admin is sure that the
12:29 host or server is indeed free from
12:31 infection she can first select the host
12:35 and then under the investigation status
12:37 section she can select resolved fixed
12:41 which changes the status of this host to
12:44 clean after a few moments this host will
12:48 be connected back to the network again
12:51 we can verify that once again by
12:53 connecting to it via RDP and browsing
12:56 the
12:57 net
13:03 [Music]
13:10 that completes our demo of Rocket mq
13:12 exploit check out more videos from the
13:15 Juniper trat Labs attack demo series by
13:18 visiting juniper.net thanks for watching