HIGH: Honeypot RocketMQ Scanner Events Report

DESCRIPTION LAST UPDATED: 2024-01-08

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have been observed performing scanning activity against RocketMQ honeypot sensors. This may include reconnaissance attempts by potential attackers, exploitation attempts (including botnets) or researchers scanning for exposed endpoints.

Apache RocketMQ is a popular distributed messaging and streaming platform.

Attacks may include exploitation attempts for CVE-2023-33246/CVE-2023-37582 CVSS 9.8 RCE vulnerabilities. You can find more details in this blog by Juniper. See also DreamBus malware exploits RocketMQ flaw to infect servers.

Track RocketMQ scans seen by us on the Dashboard, for example here. You can also search for specific RocketMQ CVEs being exploited at a given point in time on our Exploited Vulnerabilities daily list. You can also check what devices are scanning RocketMQ by searching for rocketmq-scan type in our Attacking Devices daily list.

If you receive a report about scans coming from your network/constituency make sure to investigate for possible malware or compromise or other abuse.

Severity levels are described here.

File name: event4_honeypot_rocketmq_scan

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • vulnerability_enum
    Vulnerability or exploit schema being used, for example CVE or EDB
  • vulnerability_id
    Id of vulnerability or exploit, for example CVE-2020-5902
  • vulnerability_class
    If set, then CVSS
  • vulnerability_score
    CVSS base score
  • vulnerability_severity
    CVSS severity, for example, CRITICAL or HIGH
  • vulnerability_version
    CVSS version of framework used, for example 3.1 or 3.0
  • threat_framework
    Set to MITRE ATT&CK
  • threat_tactic_id
    Array of tactic ids, example TA0001;TA0002
  • threat_technique_id
    Array of technique ids, example T1190;T1059
  • target_vendor
    Vendor that is being targeted
  • target_product
    Product that is being targeted
  • target_class
    Class of device/software being targeted, for example router
  • code
    RocketMQ request header code
  • flag
    RocketMQ request header flag
  • language
    RocketMQ request header language
  • opaque
    RocketMQ request header opaque
  • serialize_type
    RocketMQ request header serialize type
  • body
    Body
  • body_base64
    Body (base64)

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","vulnerability_enum","vulnerability_id","vulnerability_class","vulnerability_score","vulnerability_severity","vulnerability_version","threat_framework","threat_tactic_id","threat_technique_id","target_vendor","target_product","target_class","code","flag","language","opaque","serialize_type","body","body_base64"
"2010-02-10 00:00:00",tcp,192.168.0.1,46168,64512,ZZ,Region,City,node01.example.com,0,,,,,high,172.16.0.1,20202,65534,ZZ,Region,City,node01.example.net,0,,,rocketmq-scan,,,rocketmq,401,,,,,,,,,,,,,,105,0,JAVA,1,JSON,,
"2010-02-10 00:00:01",tcp,192.168.0.2,45138,64512,ZZ,Region,City,node02.example.com,0,,,,,high,172.16.0.2,9876,65534,ZZ,Region,City,node02.example.net,0,"Education Services",,rocketmq-scan,,,rocketmq,0,,,,,,,,,,,,,,106,0,JAVA,0,JSON,,
"2010-02-10 00:00:02",tcp,192.168.0.3,40740,64512,ZZ,Region,City,node03.example.com,0,,,,,high,172.16.0.3,9443,65534,ZZ,Region,City,node03.example.net,0,,,rocketmq-scan,,,rocketmq,401,,,,,,,,,,,,,,105,0,JAVA,1,JSON,,

Our 124 Report Types