CVE-2023-33426

Name of the Vulnerable Software and Affected Versions Apache RocketMQ (affected versions not specified)

Description The issue concerns a stealthy malware named perfctl, which targets millions of Linux servers. It exploits over 20,000 common misconfigurations and a critical vulnerability in Apache RocketMQ. Perfctl is especially evasive and persistent, using complex methods to remain undetected. When a new user logs in, it stops all 'noisy' activities, remaining dormant until the server is idle again. After execution, it deletes its binary file and continues to work quietly in the background as a service. The malware can deliver a payload, install a rootkit to bypass security, and a miner. In some cases, it also extracts and executes proxying software from a remote server. Millions of machines connected to the internet are potential targets.

Recommendations To mitigate the risk, users are recommended to keep systems and software up to date, restrict file execution, disable unused services, segment the network, and implement role-based access control (RBAC) to limit access to critical files. Additionally, monitoring for unusual spikes in CPU activity or system slowdowns can help detect perfctl, as these may indicate cryptocurrency mining, especially during computer idle time. At the moment, there is no information about a newer version that contains a fix for this vulnerability.